netwire | 709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66

General

Target

709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe
Size

628KB
MD5

c12e964ba585f9a9857075b8eb65d76b
SHA1

1add8089079732146f8488279366e0edbb642dea
SHA256

709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66
SHA512

8f6cd53cb37b42a5078cd7a3488f2209e88b135a94dd0684a6f8d24417f389070b67ecb74e801dd3ff3392cd1e956e8ad32120fca6cdb36c8a7a9e23ee8e06f2
SSDEEP

12288:Z25oGFLgYE9jz/Y3GTG8LKa+pCxBU2wgWD1+KjLQZ3Ntkf4VTqKlA7yTE:0VFEYE9XA3GnLtRWD1W3sf4V+Xk

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

mamaput.duckdns.org:3369

Attributes

activex_autorun
true
activex_key
{BF4QBRQX-XB5B-3NJ1-P10G-U11UC07H0K2W}
copy_executable
true
delete_original
false
host_id
winwin
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
gbam1234
registry_autorun
true
startup_name
NetWire
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4220-143-0x0000000000400000-0x00000000004A2000-memory.dmp	netwire
behavioral2/memory/4220-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1676 Host.exe
4968 Host.exe

pid	process
1676	Host.exe
4968	Host.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF4QBRQX-XB5B-3NJ1-P10G-U11UC07H0K2W}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF4QBRQX-XB5B-3NJ1-P10G-U11UC07H0K2W}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exeHost.exe

description	pid	process	target process
PID 3120 set thread context of 4220	3120	709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe	709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe
PID 1676 set thread context of 4968	1676	Host.exe	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exeHost.exe

pid process

3120 709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe
1676 Host.exe

pid	process
3120	709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe
1676	Host.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exeHost.exe

description	pid	process	target process
PID 3120 wrote to memory of 4220	3120	709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe	709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe
PID 3120 wrote to memory of 4220	3120	709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe	709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe
PID 3120 wrote to memory of 4220	3120	709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe	709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe
PID 4220 wrote to memory of 1676	4220	709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe	Host.exe
PID 4220 wrote to memory of 1676	4220	709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe	Host.exe
PID 4220 wrote to memory of 1676	4220	709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe	Host.exe
PID 1676 wrote to memory of 4968	1676	Host.exe	Host.exe
PID 1676 wrote to memory of 4968	1676	Host.exe	Host.exe
PID 1676 wrote to memory of 4968	1676	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe
"C:\Users\Admin\AppData\Local\Temp\709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Local\Temp\709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe
C:\Users\Admin\AppData\Local\Temp\709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\Install\Host.exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
628KB

MD5
c12e964ba585f9a9857075b8eb65d76b

SHA1
1add8089079732146f8488279366e0edbb642dea

SHA256
709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66

SHA512
8f6cd53cb37b42a5078cd7a3488f2209e88b135a94dd0684a6f8d24417f389070b67ecb74e801dd3ff3392cd1e956e8ad32120fca6cdb36c8a7a9e23ee8e06f2

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
628KB

MD5
c12e964ba585f9a9857075b8eb65d76b

SHA1
1add8089079732146f8488279366e0edbb642dea

SHA256
709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66

SHA512
8f6cd53cb37b42a5078cd7a3488f2209e88b135a94dd0684a6f8d24417f389070b67ecb74e801dd3ff3392cd1e956e8ad32120fca6cdb36c8a7a9e23ee8e06f2

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
628KB

MD5
c12e964ba585f9a9857075b8eb65d76b

SHA1
1add8089079732146f8488279366e0edbb642dea

SHA256
709135163dbab906237092fe63412c55c71dc4566ff8902c3728f1c22bce8d66

SHA512
8f6cd53cb37b42a5078cd7a3488f2209e88b135a94dd0684a6f8d24417f389070b67ecb74e801dd3ff3392cd1e956e8ad32120fca6cdb36c8a7a9e23ee8e06f2

Download Submit
memory/1676-159-0x0000000077730000-0x00000000778D3000-memory.dmp

Filesize
1.6MB

Download
memory/1676-150-0x0000000000000000-mapping.dmp

Download
memory/1676-158-0x00007FFF723D0000-0x00007FFF725C5000-memory.dmp

Filesize
2.0MB

Download
memory/1676-157-0x0000000002140000-0x0000000002147000-memory.dmp

Filesize
28KB

Download
memory/3120-137-0x00007FFF723D0000-0x00007FFF725C5000-memory.dmp

Filesize
2.0MB

Download
memory/3120-136-0x0000000002180000-0x0000000002187000-memory.dmp

Filesize
28KB

Download
memory/3120-138-0x0000000077730000-0x00000000778D3000-memory.dmp

Filesize
1.6MB

Download
memory/3120-134-0x0000000002180000-0x0000000002187000-memory.dmp

Filesize
28KB

Download
memory/4220-142-0x0000000077730000-0x00000000778D3000-memory.dmp

Filesize
1.6MB

Download
memory/4220-143-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4220-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4220-141-0x0000000000530000-0x0000000000537000-memory.dmp

Filesize
28KB

Download
memory/4220-169-0x00007FFF723D0000-0x00007FFF725C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-135-0x0000000000000000-mapping.dmp

Download
memory/4220-140-0x0000000077730000-0x00000000778D3000-memory.dmp

Filesize
1.6MB

Download
memory/4220-139-0x00007FFF723D0000-0x00007FFF725C5000-memory.dmp

Filesize
2.0MB

Download
memory/4220-170-0x0000000077730000-0x00000000778D3000-memory.dmp

Filesize
1.6MB

Download
memory/4968-155-0x0000000000000000-mapping.dmp

Download
memory/4968-168-0x0000000077730000-0x00000000778D3000-memory.dmp

Filesize
1.6MB

Download
memory/4968-167-0x00007FFF723D0000-0x00007FFF725C5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-171-0x00000000020B0000-0x00000000020B7000-memory.dmp

Filesize
28KB

Download
memory/4968-172-0x00007FFF723D0000-0x00007FFF725C5000-memory.dmp

Filesize
2.0MB

Download
memory/4968-173-0x0000000077730000-0x00000000778D3000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads