netwire | b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe

General

Target

b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
Size

192KB
MD5

7c417ad243871bc6419878e3063875b6
SHA1

0c86d8dc5e638a39b654acc72747dc182a20caec
SHA256

b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe
SHA512

8604f69e7da7dbedcf706192661431c194d80decaf28284ca9014a6fb072d6af405579d82f769f2058e3cd1c3f5d09684101a78b798d2161af7e638b706b1a59
SSDEEP

3072:0QaHPTRd51hQzvDsrh9aQnyT5zZhR+QmJm26LZg/ljDc8XSjbOrObfP:+PT351qT4r/aQnyiJn66/tqX

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2636-135-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/2636-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2636-138-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2636-139-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4836-145-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/4836-149-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1132 Host.exe
4836 Host.exe

pid	process
1132	Host.exe
4836	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exeHost.exe

pid process

1304 b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
1132 Host.exe

pid	process
1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
1132	Host.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exeb0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exeHost.exe

description	pid	process	target process
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 1304 wrote to memory of 2636	1304	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
PID 2636 wrote to memory of 1132	2636	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	Host.exe
PID 2636 wrote to memory of 1132	2636	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	Host.exe
PID 2636 wrote to memory of 1132	2636	b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe
PID 1132 wrote to memory of 4836	1132	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
"C:\Users\Admin\AppData\Local\Temp\b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe
"C:\Users\Admin\AppData\Local\Temp\b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
192KB

MD5
7c417ad243871bc6419878e3063875b6

SHA1
0c86d8dc5e638a39b654acc72747dc182a20caec

SHA256
b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe

SHA512
8604f69e7da7dbedcf706192661431c194d80decaf28284ca9014a6fb072d6af405579d82f769f2058e3cd1c3f5d09684101a78b798d2161af7e638b706b1a59

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
192KB

MD5
7c417ad243871bc6419878e3063875b6

SHA1
0c86d8dc5e638a39b654acc72747dc182a20caec

SHA256
b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe

SHA512
8604f69e7da7dbedcf706192661431c194d80decaf28284ca9014a6fb072d6af405579d82f769f2058e3cd1c3f5d09684101a78b798d2161af7e638b706b1a59

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
192KB

MD5
7c417ad243871bc6419878e3063875b6

SHA1
0c86d8dc5e638a39b654acc72747dc182a20caec

SHA256
b0b885d27dfdb7d0f695985db06553a7ce2db2a967fe7092d75675a08049befe

SHA512
8604f69e7da7dbedcf706192661431c194d80decaf28284ca9014a6fb072d6af405579d82f769f2058e3cd1c3f5d09684101a78b798d2161af7e638b706b1a59

Download Submit
memory/1132-140-0x0000000000000000-mapping.dmp

Download
memory/1304-134-0x0000000002C10000-0x0000000002C16000-memory.dmp

Filesize
24KB

Download
memory/1304-136-0x0000000002C10000-0x0000000002C16000-memory.dmp

Filesize
24KB

Download
memory/2636-135-0x0000000000000000-mapping.dmp

Download
memory/2636-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4836-145-0x0000000000000000-mapping.dmp

Download
memory/4836-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads