netwire | 3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa

General

Target

3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
Size

164KB
MD5

710b2f2fb3898204ad45b9851e5d12d3
SHA1

d6978ce690d30011493eba3208b2cba46e4721c2
SHA256

3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa
SHA512

1e77950b48cd166a6f9536df6b0e46b2e39f4590bf1bc0b1fd8af7cc9c372a91a01aa6e41673a39946d8aec24d93db00a25a278fb726c6314aba9b18d4c6f940
SSDEEP

3072:pZUfHqXNtYNd0dtksxvm1Q5LXfWn20lbtDaCPKGdAsUg:pZUfHytYY2s4Q5L4ZDj3

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2432-135-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/2432-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2432-138-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2432-141-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4480-145-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/4480-149-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

ATIRegUpdate.exeATIRegUpdate.exe

pid process

5044 ATIRegUpdate.exe
4480 ATIRegUpdate.exe

pid	process
5044	ATIRegUpdate.exe
4480	ATIRegUpdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ATIRegUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ATIRegUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\ATIRegUpdate.exe"	ATIRegUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	ATIRegUpdate.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exeATIRegUpdate.exe

pid process

1256 3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
5044 ATIRegUpdate.exe

pid	process
1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
5044	ATIRegUpdate.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exeATIRegUpdate.exe

description	pid	process	target process
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 1256 wrote to memory of 2432	1256	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
PID 2432 wrote to memory of 5044	2432	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	ATIRegUpdate.exe
PID 2432 wrote to memory of 5044	2432	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	ATIRegUpdate.exe
PID 2432 wrote to memory of 5044	2432	3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe
PID 5044 wrote to memory of 4480	5044	ATIRegUpdate.exe	ATIRegUpdate.exe

C:\Users\Admin\AppData\Local\Temp\3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
"C:\Users\Admin\AppData\Local\Temp\3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe
"C:\Users\Admin\AppData\Local\Temp\3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Roaming\Install\ATIRegUpdate.exe
-m "C:\Users\Admin\AppData\Local\Temp\3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Roaming\Install\ATIRegUpdate.exe
-m "C:\Users\Admin\AppData\Local\Temp\3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\ATIRegUpdate.exe
Filesize
164KB

MD5
710b2f2fb3898204ad45b9851e5d12d3

SHA1
d6978ce690d30011493eba3208b2cba46e4721c2

SHA256
3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa

SHA512
1e77950b48cd166a6f9536df6b0e46b2e39f4590bf1bc0b1fd8af7cc9c372a91a01aa6e41673a39946d8aec24d93db00a25a278fb726c6314aba9b18d4c6f940

Download Submit
C:\Users\Admin\AppData\Roaming\Install\ATIRegUpdate.exe
Filesize
164KB

MD5
710b2f2fb3898204ad45b9851e5d12d3

SHA1
d6978ce690d30011493eba3208b2cba46e4721c2

SHA256
3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa

SHA512
1e77950b48cd166a6f9536df6b0e46b2e39f4590bf1bc0b1fd8af7cc9c372a91a01aa6e41673a39946d8aec24d93db00a25a278fb726c6314aba9b18d4c6f940

Download Submit
C:\Users\Admin\AppData\Roaming\Install\ATIRegUpdate.exe
Filesize
164KB

MD5
710b2f2fb3898204ad45b9851e5d12d3

SHA1
d6978ce690d30011493eba3208b2cba46e4721c2

SHA256
3a4eefa976a8911003a83508aa348c63ff7be87c4c7a90445542af8a140c78fa

SHA512
1e77950b48cd166a6f9536df6b0e46b2e39f4590bf1bc0b1fd8af7cc9c372a91a01aa6e41673a39946d8aec24d93db00a25a278fb726c6314aba9b18d4c6f940

Download Submit
memory/1256-134-0x0000000002230000-0x0000000002236000-memory.dmp

Filesize
24KB

Download
memory/1256-136-0x0000000002230000-0x0000000002236000-memory.dmp

Filesize
24KB

Download
memory/2432-135-0x0000000000000000-mapping.dmp

Download
memory/2432-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2432-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2432-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4480-145-0x0000000000000000-mapping.dmp

Download
memory/4480-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5044-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads