netwire | d12471afe134cfaecadc6df2a7de16f54a9b0515f8d127ec44d650b90ea069fc

General

Target

d12471afe134cfaecadc6df2a7de16f54a9b0515f8d127ec44d650b90ea069fc.dll
Size

5.5MB
MD5

7fe40fa40f7c5f09f57107f389f6391e
SHA1

3e38eda6e167b9e51681d7ada88fab51bee282e7
SHA256

d12471afe134cfaecadc6df2a7de16f54a9b0515f8d127ec44d650b90ea069fc
SHA512

8792ab1c60cb51a1c445951e731aebb77100f06cadddfcc678be18b045d40cd52b51bebb9399b0ee33fb67e41e73919f33706e6017900a1c636d57b73a5b38e1
SSDEEP

49152:r46RlYSOQmRN8f7zTwB902KXHsQnVedoRl69dz5FfV+mT9FhZrQ8YZaq:r4kz03024efFkEhi8a9

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

www.secureupload.online:1929

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-eqOyw8
lock_executable
false
offline_keylogger
false
password
Manlike1234567!
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/664-60-0x00000000043B0000-0x00000000043EF000-memory.dmp	netwire
behavioral1/memory/1724-73-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

664 ipconfig.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeipconfig.exe

pid process

976 rundll32.exe
664 ipconfig.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ipconfig.exe

pid process

664 ipconfig.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

976 rundll32.exe

pid	process
664	ipconfig.exe

pid	process
976	rundll32.exe
664	ipconfig.exe

pid	process
664	ipconfig.exe

pid	process
976	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exeipconfig.exe

description	pid	process	target process
PID 1676 wrote to memory of 976	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 976	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 976	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 976	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 976	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 976	1676	rundll32.exe	rundll32.exe
PID 1676 wrote to memory of 976	1676	rundll32.exe	rundll32.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 976 wrote to memory of 664	976	rundll32.exe	ipconfig.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe
PID 664 wrote to memory of 1724	664	ipconfig.exe	cmd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d12471afe134cfaecadc6df2a7de16f54a9b0515f8d127ec44d650b90ea069fc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d12471afe134cfaecadc6df2a7de16f54a9b0515f8d127ec44d650b90ea069fc.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
3⤵
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/664-61-0x0000000076D40000-0x0000000076EE9000-memory.dmp

Filesize
1.7MB

Download
memory/664-63-0x00000000043B7000-0x00000000043C7000-memory.dmp

Filesize
64KB

Download
memory/664-72-0x00000000043B7000-0x00000000043C7000-memory.dmp

Filesize
64KB

Download
memory/664-57-0x0000000000000000-mapping.dmp

Download
memory/664-62-0x0000000000210000-0x0000000000218000-memory.dmp

Filesize
32KB

Download
memory/664-60-0x00000000043B0000-0x00000000043EF000-memory.dmp

Filesize
252KB

Download
memory/976-59-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/976-54-0x0000000000000000-mapping.dmp

Download
memory/976-55-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/976-56-0x0000000001E70000-0x0000000002414000-memory.dmp

Filesize
5.6MB

Download
memory/1724-66-0x0000000076D40000-0x0000000076EE9000-memory.dmp

Filesize
1.7MB

Download
memory/1724-64-0x0000000000000000-mapping.dmp

Download
memory/1724-67-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/1724-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing