netwire | de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0

General

Target

GBO -590 ORDER.exe
Size

833KB
MD5

1a9ce8f81c2b5e3dbd4de1681975f1e1
SHA1

1e5ec9bf8bb045caa2c9e1090444d8b5a07fa19b
SHA256

de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0
SHA512

5aa435dbee766fe7395cb58f5e3ff1f2795b9348e7f7706e494e1a848715132ef99ad77aaef9b8c5f0408a37e34651d37ea75674576a37b61e5336f89dea7fe5
SSDEEP

12288:yf0bR6AbG9g+ULV7/yCabiYgONmRyUVzgMl79f7y7m:o0bVa9ALFy5eOERyUWq7NyK

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:7324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password123
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 11 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1908-69-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1908-71-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1908-72-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1908-75-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/1908-74-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1908-78-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1908-83-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1728-106-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/1728-110-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1728-112-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1728-114-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

392 Host.exe
1728 Host.exe
Loads dropped DLL 2 IoCs

Processes:

GBO -590 ORDER.exe

pid process

1908 GBO -590 ORDER.exe
1908 GBO -590 ORDER.exe

pid	process
392	Host.exe
1728	Host.exe

pid	process
1908	GBO -590 ORDER.exe
1908	GBO -590 ORDER.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

GBO -590 ORDER.exeHost.exe

description	pid	process	target process
PID 1584 set thread context of 1908	1584	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 392 set thread context of 1728	392	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

764 schtasks.exe
920 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

GBO -590 ORDER.exepowershell.exeHost.exepowershell.exe

pid process

1584 GBO -590 ORDER.exe
1584 GBO -590 ORDER.exe
468 powershell.exe
392 Host.exe
848 powershell.exe
392 Host.exe

pid	process
764	schtasks.exe
920	schtasks.exe

pid	process
1584	GBO -590 ORDER.exe
1584	GBO -590 ORDER.exe
468	powershell.exe
392	Host.exe
848	powershell.exe
392	Host.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

GBO -590 ORDER.exepowershell.exeHost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1584	GBO -590 ORDER.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	392	Host.exe
Token: SeDebugPrivilege	848	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

GBO -590 ORDER.exeGBO -590 ORDER.exeHost.exe

description	pid	process	target process
PID 1584 wrote to memory of 468	1584	GBO -590 ORDER.exe	powershell.exe
PID 1584 wrote to memory of 468	1584	GBO -590 ORDER.exe	powershell.exe
PID 1584 wrote to memory of 468	1584	GBO -590 ORDER.exe	powershell.exe
PID 1584 wrote to memory of 468	1584	GBO -590 ORDER.exe	powershell.exe
PID 1584 wrote to memory of 764	1584	GBO -590 ORDER.exe	schtasks.exe
PID 1584 wrote to memory of 764	1584	GBO -590 ORDER.exe	schtasks.exe
PID 1584 wrote to memory of 764	1584	GBO -590 ORDER.exe	schtasks.exe
PID 1584 wrote to memory of 764	1584	GBO -590 ORDER.exe	schtasks.exe
PID 1584 wrote to memory of 1908	1584	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1584 wrote to memory of 1908	1584	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1584 wrote to memory of 1908	1584	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1584 wrote to memory of 1908	1584	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1584 wrote to memory of 1908	1584	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1584 wrote to memory of 1908	1584	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1584 wrote to memory of 1908	1584	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1584 wrote to memory of 1908	1584	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1584 wrote to memory of 1908	1584	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1584 wrote to memory of 1908	1584	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1584 wrote to memory of 1908	1584	GBO -590 ORDER.exe	GBO -590 ORDER.exe
PID 1908 wrote to memory of 392	1908	GBO -590 ORDER.exe	Host.exe
PID 1908 wrote to memory of 392	1908	GBO -590 ORDER.exe	Host.exe
PID 1908 wrote to memory of 392	1908	GBO -590 ORDER.exe	Host.exe
PID 1908 wrote to memory of 392	1908	GBO -590 ORDER.exe	Host.exe
PID 392 wrote to memory of 848	392	Host.exe	powershell.exe
PID 392 wrote to memory of 848	392	Host.exe	powershell.exe
PID 392 wrote to memory of 848	392	Host.exe	powershell.exe
PID 392 wrote to memory of 848	392	Host.exe	powershell.exe
PID 392 wrote to memory of 920	392	Host.exe	schtasks.exe
PID 392 wrote to memory of 920	392	Host.exe	schtasks.exe
PID 392 wrote to memory of 920	392	Host.exe	schtasks.exe
PID 392 wrote to memory of 920	392	Host.exe	schtasks.exe
PID 392 wrote to memory of 1728	392	Host.exe	Host.exe
PID 392 wrote to memory of 1728	392	Host.exe	Host.exe
PID 392 wrote to memory of 1728	392	Host.exe	Host.exe
PID 392 wrote to memory of 1728	392	Host.exe	Host.exe
PID 392 wrote to memory of 1728	392	Host.exe	Host.exe
PID 392 wrote to memory of 1728	392	Host.exe	Host.exe
PID 392 wrote to memory of 1728	392	Host.exe	Host.exe
PID 392 wrote to memory of 1728	392	Host.exe	Host.exe
PID 392 wrote to memory of 1728	392	Host.exe	Host.exe
PID 392 wrote to memory of 1728	392	Host.exe	Host.exe
PID 392 wrote to memory of 1728	392	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\GBO -590 ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\GBO -590 ORDER.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QmkdACHcaWibL.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QmkdACHcaWibL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E82.tmp"
2⤵
- Creates scheduled task(s)
PID:764

C:\Users\Admin\AppData\Local\Temp\GBO -590 ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\GBO -590 ORDER.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QmkdACHcaWibL.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QmkdACHcaWibL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp"
4⤵
- Creates scheduled task(s)
PID:920

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3E0B.tmp
Filesize
1KB

MD5
d3d3ef033e0d691983473013a3c311bd

SHA1
b488071727ea809d573ecf8c0ea9c5648245d3ad

SHA256
e5537110ce83512e9c62de905a63be60688179e3df56ad6d97f6b9636da246b6

SHA512
e3347f05e61a23f733fcf01bd5c94ee166f96020afd1c3695cf98f78eb6c9599dd4a2f25270e3a40babc421366dcb505714c00e330d94ff0da60ccb9b3269a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E82.tmp
Filesize
1KB

MD5
d3d3ef033e0d691983473013a3c311bd

SHA1
b488071727ea809d573ecf8c0ea9c5648245d3ad

SHA256
e5537110ce83512e9c62de905a63be60688179e3df56ad6d97f6b9636da246b6

SHA512
e3347f05e61a23f733fcf01bd5c94ee166f96020afd1c3695cf98f78eb6c9599dd4a2f25270e3a40babc421366dcb505714c00e330d94ff0da60ccb9b3269a25

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
833KB

MD5
1a9ce8f81c2b5e3dbd4de1681975f1e1

SHA1
1e5ec9bf8bb045caa2c9e1090444d8b5a07fa19b

SHA256
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0

SHA512
5aa435dbee766fe7395cb58f5e3ff1f2795b9348e7f7706e494e1a848715132ef99ad77aaef9b8c5f0408a37e34651d37ea75674576a37b61e5336f89dea7fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
833KB

MD5
1a9ce8f81c2b5e3dbd4de1681975f1e1

SHA1
1e5ec9bf8bb045caa2c9e1090444d8b5a07fa19b

SHA256
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0

SHA512
5aa435dbee766fe7395cb58f5e3ff1f2795b9348e7f7706e494e1a848715132ef99ad77aaef9b8c5f0408a37e34651d37ea75674576a37b61e5336f89dea7fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
833KB

MD5
1a9ce8f81c2b5e3dbd4de1681975f1e1

SHA1
1e5ec9bf8bb045caa2c9e1090444d8b5a07fa19b

SHA256
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0

SHA512
5aa435dbee766fe7395cb58f5e3ff1f2795b9348e7f7706e494e1a848715132ef99ad77aaef9b8c5f0408a37e34651d37ea75674576a37b61e5336f89dea7fe5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e1f364cb2cd2fc5e034285bb2b767f81

SHA1
846bbc2aadcd06d7c6239b7dd47c05a47ffd42b8

SHA256
b2740427e1890c6338ce0084b9aa97f86b0996cbca93667aa1c8a739e8c1c71d

SHA512
9377e2194c9cb9a0717c85c26db6d8cfe0f2d07c0e644b2e1ba0437d038e12a32eaafd3765b8d9220bdab461ebf6d17fb3e48b5e8eb8db90dd38037e1a152eae

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
833KB

MD5
1a9ce8f81c2b5e3dbd4de1681975f1e1

SHA1
1e5ec9bf8bb045caa2c9e1090444d8b5a07fa19b

SHA256
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0

SHA512
5aa435dbee766fe7395cb58f5e3ff1f2795b9348e7f7706e494e1a848715132ef99ad77aaef9b8c5f0408a37e34651d37ea75674576a37b61e5336f89dea7fe5

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
833KB

MD5
1a9ce8f81c2b5e3dbd4de1681975f1e1

SHA1
1e5ec9bf8bb045caa2c9e1090444d8b5a07fa19b

SHA256
de1dca28f32c8367c84d51ae14b26c4432f91e0845dc0db65fdb4ccb7eefbcb0

SHA512
5aa435dbee766fe7395cb58f5e3ff1f2795b9348e7f7706e494e1a848715132ef99ad77aaef9b8c5f0408a37e34651d37ea75674576a37b61e5336f89dea7fe5

Download Submit
memory/392-88-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/392-85-0x00000000010B0000-0x0000000001186000-memory.dmp

Filesize
856KB

Download
memory/392-81-0x0000000000000000-mapping.dmp

Download
memory/468-89-0x000000006EB50000-0x000000006F0FB000-memory.dmp

Filesize
5.7MB

Download
memory/468-87-0x000000006EB50000-0x000000006F0FB000-memory.dmp

Filesize
5.7MB

Download
memory/468-59-0x0000000000000000-mapping.dmp

Download
memory/764-60-0x0000000000000000-mapping.dmp

Download
memory/848-113-0x0000000072BB0000-0x000000007315B000-memory.dmp

Filesize
5.7MB

Download
memory/848-111-0x0000000072BB0000-0x000000007315B000-memory.dmp

Filesize
5.7MB

Download
memory/848-90-0x0000000000000000-mapping.dmp

Download
memory/920-91-0x0000000000000000-mapping.dmp

Download
memory/1584-57-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/1584-56-0x0000000000340000-0x0000000000356000-memory.dmp

Filesize
88KB

Download
memory/1584-63-0x0000000007DB0000-0x0000000007DFC000-memory.dmp

Filesize
304KB

Download
memory/1584-55-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/1584-58-0x00000000080C0000-0x0000000008144000-memory.dmp

Filesize
528KB

Download
memory/1584-54-0x0000000001000000-0x00000000010D6000-memory.dmp

Filesize
856KB

Download
memory/1728-114-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1728-112-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1728-110-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1728-106-0x000000000041AD7B-mapping.dmp

Download
memory/1908-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1908-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1908-75-0x000000000041AD7B-mapping.dmp

Download
memory/1908-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1908-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1908-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1908-72-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1908-64-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1908-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1908-83-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads