netwire | b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c

General

Target

SecuriteInfo.com.Win32.RATX-gen.8711.exe
Size

715KB
MD5

14a8ed4f4d833c20f775d254eb751f2d
SHA1

5c3282c4b919fb7d5a84a8026233fe358de5a022
SHA256

b3cd1a80df7ae1654da07a03006781c83240814dd6d99db27f1733ed8267661c
SHA512

5210cffe7b9b7fb2fa884a71ee599c9305df08270ffc766afa8a409fff9eab5597bd1c677312e8afb0c27caf0966e416e653b5d20b738aadece91e292de14f18
SSDEEP

12288:9zJs9gjEzcfWT+9FOcfx1HsAYaZAtpuxHJNp7lbheaiA/yQRq9CLQrx99s2z:U35Mx3Ya8ApbPeoyN9CWTs2

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:7324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password123
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2820-144-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/2820-145-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/2820-146-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral2/memory/2820-152-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

4136 Host.exe

pid	process
4136	Host.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win32.RATX-gen.8711.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.RATX-gen.8711.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.8711.exe

description pid process target process

PID 4848 set thread context of 2820 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1168 schtasks.exe

description	pid	process	target process
PID 4848 set thread context of 2820	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe

pid	process
1168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.8711.exepowershell.exe

pid	process
4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe
4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe
4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe
4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe
4072	powershell.exe
4072	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.8711.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4848 SecuriteInfo.com.Win32.RATX-gen.8711.exe
Token: SeDebugPrivilege 4072 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe
Token: SeDebugPrivilege	4072	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

SecuriteInfo.com.Win32.RATX-gen.8711.exeRegSvcs.exe

description	pid	process	target process
PID 4848 wrote to memory of 4072	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	powershell.exe
PID 4848 wrote to memory of 4072	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	powershell.exe
PID 4848 wrote to memory of 4072	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	powershell.exe
PID 4848 wrote to memory of 1168	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	schtasks.exe
PID 4848 wrote to memory of 1168	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	schtasks.exe
PID 4848 wrote to memory of 1168	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	schtasks.exe
PID 4848 wrote to memory of 1732	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 4848 wrote to memory of 1732	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 4848 wrote to memory of 1732	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 4848 wrote to memory of 2820	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 4848 wrote to memory of 2820	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 4848 wrote to memory of 2820	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 4848 wrote to memory of 2820	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 4848 wrote to memory of 2820	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 4848 wrote to memory of 2820	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 4848 wrote to memory of 2820	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 4848 wrote to memory of 2820	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 4848 wrote to memory of 2820	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 4848 wrote to memory of 2820	4848	SecuriteInfo.com.Win32.RATX-gen.8711.exe	RegSvcs.exe
PID 2820 wrote to memory of 4136	2820	RegSvcs.exe	Host.exe
PID 2820 wrote to memory of 4136	2820	RegSvcs.exe	Host.exe
PID 2820 wrote to memory of 4136	2820	RegSvcs.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.8711.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\abmJUJB.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\abmJUJB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp612B.tmp"
2⤵
- Creates scheduled task(s)
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp612B.tmp
Filesize
1KB

MD5
3e5ec33740eccf5f62ca13008e8dc76d

SHA1
6b7f3f9ffb8301f1a69c9a680c8e07466b9c624e

SHA256
c4cd025ed52813b884c8cb6bda8c17df690f9b14b99a478d58a535792f305b31

SHA512
4948d8067600b97f1b75be2e3eb35cc757fe97d4c864f8a08ab5eccbabce0125150428e5f0e4bccee3d0a63f8357d3f27828421150515463a5f19ff14ec1e7f4

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
memory/1168-138-0x0000000000000000-mapping.dmp

Download
memory/1732-141-0x0000000000000000-mapping.dmp

Download
memory/2820-152-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2820-146-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2820-145-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2820-144-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2820-143-0x0000000000000000-mapping.dmp

Download
memory/4072-148-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/4072-161-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/4072-140-0x0000000004FE0000-0x0000000005016000-memory.dmp

Filesize
216KB

Download
memory/4072-137-0x0000000000000000-mapping.dmp

Download
memory/4072-166-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

Filesize
32KB

Download
memory/4072-147-0x0000000005E00000-0x0000000005E22000-memory.dmp

Filesize
136KB

Download
memory/4072-165-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

Filesize
104KB

Download
memory/4072-149-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/4072-164-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

Filesize
56KB

Download
memory/4072-163-0x0000000007B20000-0x0000000007BB6000-memory.dmp

Filesize
600KB

Download
memory/4072-162-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/4072-142-0x0000000005650000-0x0000000005C78000-memory.dmp

Filesize
6.2MB

Download
memory/4072-160-0x0000000007EF0000-0x000000000856A000-memory.dmp

Filesize
6.5MB

Download
memory/4072-159-0x0000000006B40000-0x0000000006B5E000-memory.dmp

Filesize
120KB

Download
memory/4072-156-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/4072-157-0x0000000006B60000-0x0000000006B92000-memory.dmp

Filesize
200KB

Download
memory/4072-158-0x0000000073560000-0x00000000735AC000-memory.dmp

Filesize
304KB

Download
memory/4136-155-0x0000000005350000-0x000000000538C000-memory.dmp

Filesize
240KB

Download
memory/4136-154-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/4136-150-0x0000000000000000-mapping.dmp

Download
memory/4848-133-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/4848-134-0x0000000005660000-0x00000000056F2000-memory.dmp

Filesize
584KB

Download
memory/4848-135-0x0000000005820000-0x000000000582A000-memory.dmp

Filesize
40KB

Download
memory/4848-132-0x0000000000C00000-0x0000000000CB8000-memory.dmp

Filesize
736KB

Download
memory/4848-136-0x0000000009340000-0x00000000093DC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads