netwire | 68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b

General

Target

68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
Size

136KB
MD5

21b289e88c52899e189bd93995cd4f45
SHA1

4b73d5200538d31d5a8aebab6ca2387df4489d96
SHA256

68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b
SHA512

013b6644a35bf5611dec48886c177552170b1ac02ae88a5218ce76a6082d664b5c27de61843576679af3f5ba4d95fcc3ca67e65790052bcee52d71eef439f703
SSDEEP

3072:RM+9i7SFCIXJZHWYekfrwKQjSs2cRgIuabx0AW9CVcpdPdMJ:RMTCP2YhfrwKQjSYgIuEeAKnLs

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4308-139-0x0000000000400000-0x0000000000417000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

4716 Host.exe

pid	process
4716	Host.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe

Loads dropped DLL 2 IoCs

Processes:

68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe

pid	process
4020	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
4020	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe

description	pid	process	target process
PID 4020 set thread context of 4308	4020	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Setup\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Setup\Host.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\Setup\Host.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\Setup\Host.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe

description	pid	process	target process
PID 4020 wrote to memory of 4308	4020	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 4020 wrote to memory of 4308	4020	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 4020 wrote to memory of 4308	4020	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 4020 wrote to memory of 4308	4020	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 4020 wrote to memory of 4308	4020	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 4020 wrote to memory of 4308	4020	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 4020 wrote to memory of 4308	4020	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 4020 wrote to memory of 4308	4020	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 4020 wrote to memory of 4308	4020	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
PID 4308 wrote to memory of 4716	4308	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	Host.exe
PID 4308 wrote to memory of 4716	4308	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	Host.exe
PID 4308 wrote to memory of 4716	4308	68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
"C:\Users\Admin\AppData\Local\Temp\68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe
"C:\Users\Admin\AppData\Local\Temp\68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Roaming\Setup\Host.exe
"C:\Users\Admin\AppData\Roaming\Setup\Host.exe"
3⤵
- Executes dropped EXE
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsx42FD.tmp\sprees.dll
Filesize
57KB

MD5
2aac95e2511af03b42b391a420a2db04

SHA1
c7aac5b6f68de9c7d6aa3fb91db42b957d000e6c

SHA256
5a39e3e9583fa118254280b7a7e55837a3a8aa8e0f9027c014eb163ecd305b17

SHA512
8e522dfcd49bd41ab6d2c00a03de97a5302b151763df76ce6532b83dc48181e3ca1df239947d3c8ad55b538691b5567293785fef5d509c3ad9f0131c1912c3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx42FD.tmp\sprees.dll
Filesize
57KB

MD5
2aac95e2511af03b42b391a420a2db04

SHA1
c7aac5b6f68de9c7d6aa3fb91db42b957d000e6c

SHA256
5a39e3e9583fa118254280b7a7e55837a3a8aa8e0f9027c014eb163ecd305b17

SHA512
8e522dfcd49bd41ab6d2c00a03de97a5302b151763df76ce6532b83dc48181e3ca1df239947d3c8ad55b538691b5567293785fef5d509c3ad9f0131c1912c3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sprees.mjw
Filesize
68KB

MD5
ebdd3b8ebf400c8d56ef48adf8b78dff

SHA1
553dbb7db9457d249683d36114d0fed90087bdac

SHA256
50f942da50af23e6149873501452b25cb9ab00e2fec1d6c2cb6c460ce61cdc5d

SHA512
c192e9ea00c67f440f309f2f782c6bb7c6fecb773ccc992a57d697bf11cb01c93482c580377463b3a626424b52e9d7d69ce5cd744dd46f710899b61fee73fd9c

Download Submit
C:\Users\Admin\AppData\Roaming\Setup\Host.exe
Filesize
136KB

MD5
21b289e88c52899e189bd93995cd4f45

SHA1
4b73d5200538d31d5a8aebab6ca2387df4489d96

SHA256
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b

SHA512
013b6644a35bf5611dec48886c177552170b1ac02ae88a5218ce76a6082d664b5c27de61843576679af3f5ba4d95fcc3ca67e65790052bcee52d71eef439f703

Download Submit
C:\Users\Admin\AppData\Roaming\Setup\Host.exe
Filesize
136KB

MD5
21b289e88c52899e189bd93995cd4f45

SHA1
4b73d5200538d31d5a8aebab6ca2387df4489d96

SHA256
68aa0631eab215747c8e65ae0428ad2de586abe0ece18d271786c7e7ef45137b

SHA512
013b6644a35bf5611dec48886c177552170b1ac02ae88a5218ce76a6082d664b5c27de61843576679af3f5ba4d95fcc3ca67e65790052bcee52d71eef439f703

Download Submit
memory/4020-134-0x0000000002610000-0x0000000002627000-memory.dmp

Filesize
92KB

Download
memory/4308-135-0x0000000000000000-mapping.dmp

Download
memory/4308-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4308-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4308-139-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4716-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads