netwire | b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c

General

Target

SecuriteInfo.com.Win32.RATX-gen.8711.exe
Size

715KB
MD5

14a8ed4f4d833c20f775d254eb751f2d
SHA1

5c3282c4b919fb7d5a84a8026233fe358de5a022
SHA256

b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
SHA512

5210cffe7b9b7fb2fa884a71ee599c9305df08270ffc766afa8a409fff9eab5597bd1c677312e8afb0c27caf0966e416e653b5d20b738aadece91e292de14f18
SSDEEP

12288:9zJs9gjEzcfWT+9FOcfx1HsAYaZAtpuxHJNp7lbheaiA/yQRq9CLQrx99s2z:U35Mx3Ya8ApbPeoyN9CWTs2

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:7324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password123
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1056-69-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1056-71-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1056-72-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1056-74-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1056-75-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/1056-78-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/1056-82-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

816 Host.exe
Loads dropped DLL 1 IoCs

Processes:

RegSvcs.exe

pid process

1056 RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.8711.exe

description pid process target process

PID 788 set thread context of 1056 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1448 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.8711.exepowershell.exe

pid process

788 SecuriteInfo.com.Win32.RATX-gen.8711.exe
788 SecuriteInfo.com.Win32.RATX-gen.8711.exe
940 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.8711.exepowershell.exe

description pid process

Token: SeDebugPrivilege 788 SecuriteInfo.com.Win32.RATX-gen.8711.exe
Token: SeDebugPrivilege 940 powershell.exe

pid	process
816	Host.exe

pid	process
1056	RegSvcs.exe

description	pid	process	target process
PID 788 set thread context of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe

pid	process
1448	schtasks.exe

pid	process
788	SecuriteInfo.com.Win32.RATX-gen.8711.exe
788	SecuriteInfo.com.Win32.RATX-gen.8711.exe
940	powershell.exe

description	pid	process
Token: SeDebugPrivilege	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe
Token: SeDebugPrivilege	940	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.8711.exeRegSvcs.exe

description	pid	process	target process
PID 788 wrote to memory of 940	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	powershell.exe
PID 788 wrote to memory of 940	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	powershell.exe
PID 788 wrote to memory of 940	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	powershell.exe
PID 788 wrote to memory of 940	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	powershell.exe
PID 788 wrote to memory of 1448	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	schtasks.exe
PID 788 wrote to memory of 1448	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	schtasks.exe
PID 788 wrote to memory of 1448	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	schtasks.exe
PID 788 wrote to memory of 1448	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	schtasks.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 788 wrote to memory of 1056	788	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 1056 wrote to memory of 816	1056	RegSvcs.exe	Host.exe
PID 1056 wrote to memory of 816	1056	RegSvcs.exe	Host.exe
PID 1056 wrote to memory of 816	1056	RegSvcs.exe	Host.exe
PID 1056 wrote to memory of 816	1056	RegSvcs.exe	Host.exe
PID 1056 wrote to memory of 816	1056	RegSvcs.exe	Host.exe
PID 1056 wrote to memory of 816	1056	RegSvcs.exe	Host.exe
PID 1056 wrote to memory of 816	1056	RegSvcs.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\abmJUJB.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\abmJUJB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C77.tmp"
2⤵
- Creates scheduled task(s)
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:816

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1C77.tmp
Filesize
1KB

MD5
80b73735c81cb09791d7983f8d3dff46

SHA1
4444b228cc997afa6e0d3b33222bcfe353107d76

SHA256
393e06a5c646d1312781716a3f659d8395491324988fcfdb0e9c15c34c4e00de

SHA512
810e9a443b56e35ca3675828edbe806a35cdc111b009aa822a09dcc1e5ffbe6203bf91096616d95865a8599267efaa71ef9b12cec003b92096b0744047807da7

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/788-63-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

Filesize
304KB

Download
memory/788-58-0x0000000005ED0000-0x0000000005F54000-memory.dmp

Filesize
528KB

Download
memory/788-57-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/788-54-0x00000000001D0000-0x0000000000288000-memory.dmp

Filesize
736KB

Download
memory/788-56-0x0000000000640000-0x0000000000656000-memory.dmp

Filesize
88KB

Download
memory/788-55-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/816-85-0x0000000000310000-0x0000000000330000-memory.dmp

Filesize
128KB

Download
memory/816-84-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/816-80-0x0000000000000000-mapping.dmp

Download
memory/940-59-0x0000000000000000-mapping.dmp

Download
memory/940-87-0x000000006EB10000-0x000000006F0BB000-memory.dmp

Filesize
5.7MB

Download
memory/940-86-0x000000006EB10000-0x000000006F0BB000-memory.dmp

Filesize
5.7MB

Download
memory/1056-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1056-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1056-75-0x000000000041AD7B-mapping.dmp

Download
memory/1056-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1056-72-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1056-82-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1056-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1056-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1056-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1056-64-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1448-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads