netwire | 1968f9eec5d49a56b438eeaff7c71b22a5600028b6c6571e1add170d6c0192f8

General

Target

1968f9eec5d49a56b438eeaff7c71b22a5600028b6c6571e1add170d6c0192f8.dll
Size

4.9MB
MD5

a45152d1b89cf26aa94104c1154c87ac
SHA1

9b6101cc5bf1b328bac9de91c0102caf7ec4fc14
SHA256

1968f9eec5d49a56b438eeaff7c71b22a5600028b6c6571e1add170d6c0192f8
SHA512

cba252e612dd7b9cda716abc44999fea113347b6821f616933aaeed8789beab133bb0469e1194d0893352bb066424875a05ab0b1d8cc2c261518657551f01b51
SSDEEP

98304:10fY0CspGCvRZFUhsGZtWttFsJObcFksHPlJF3t2GSqZQl2+:VTCZPkhxka5t2Fzg+

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

mikemikemic.com:9336

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-mIgseg
lock_executable
false
offline_keylogger
false
password
Password123
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/952-60-0x00000000043B0000-0x00000000043EF000-memory.dmp	netwire
behavioral1/memory/1504-73-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

7 1504 cmd.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

952 ipconfig.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeipconfig.exe

pid process

272 rundll32.exe
952 ipconfig.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ipconfig.exe

pid process

952 ipconfig.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

272 rundll32.exe

flow	pid	process
7	1504	cmd.exe

pid	process
952	ipconfig.exe

pid	process
272	rundll32.exe
952	ipconfig.exe

pid	process
952	ipconfig.exe

pid	process
272	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exeipconfig.exe

description	pid	process	target process
PID 856 wrote to memory of 272	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 272	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 272	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 272	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 272	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 272	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 272	856	rundll32.exe	rundll32.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 272 wrote to memory of 952	272	rundll32.exe	ipconfig.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe
PID 952 wrote to memory of 1504	952	ipconfig.exe	cmd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1968f9eec5d49a56b438eeaff7c71b22a5600028b6c6571e1add170d6c0192f8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1968f9eec5d49a56b438eeaff7c71b22a5600028b6c6571e1add170d6c0192f8.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
3⤵
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Blocklisted process makes network request
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/272-59-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/272-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/272-56-0x0000000001EF0000-0x00000000023F7000-memory.dmp

Filesize
5.0MB

Download
memory/272-54-0x0000000000000000-mapping.dmp

Download
memory/952-61-0x00000000773C0000-0x0000000077569000-memory.dmp

Filesize
1.7MB

Download
memory/952-60-0x00000000043B0000-0x00000000043EF000-memory.dmp

Filesize
252KB

Download
memory/952-57-0x0000000000000000-mapping.dmp

Download
memory/952-62-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/952-63-0x00000000043B7000-0x00000000043C7000-memory.dmp

Filesize
64KB

Download
memory/952-72-0x00000000043B7000-0x00000000043C7000-memory.dmp

Filesize
64KB

Download
memory/1504-64-0x0000000000000000-mapping.dmp

Download
memory/1504-66-0x00000000000D0000-0x00000000000D8000-memory.dmp

Filesize
32KB

Download
memory/1504-67-0x00000000773C0000-0x0000000077569000-memory.dmp

Filesize
1.7MB

Download
memory/1504-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing