netwire | d12471afe134cfaecadc6df2a7de16f54a9b0515f8d127ec44d650b90ea069fc

General

Target

d12471afe134cfaecadc6df2a7de16f54a9b0515f8d127ec44d650b90ea069fc.dll
Size

5.5MB
MD5

7fe40fa40f7c5f09f57107f389f6391e
SHA1

3e38eda6e167b9e51681d7ada88fab51bee282e7
SHA256

d12471afe134cfaecadc6df2a7de16f54a9b0515f8d127ec44d650b90ea069fc
SHA512

8792ab1c60cb51a1c445951e731aebb77100f06cadddfcc678be18b045d40cd52b51bebb9399b0ee33fb67e41e73919f33706e6017900a1c636d57b73a5b38e1
SSDEEP

49152:r46RlYSOQmRN8f7zTwB902KXHsQnVedoRl69dz5FfV+mT9FhZrQ8YZaq:r4kz03024efFkEhi8a9

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

www.secureupload.online:1929

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-YaU4Wi
lock_executable
false
offline_keylogger
false
password
Manlike1234567!
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/556-136-0x0000000004640000-0x000000000467F000-memory.dmp	netwire
behavioral2/memory/4532-148-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

51 4532 cmd.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

556 ipconfig.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exeipconfig.exe

pid process

4716 rundll32.exe
556 ipconfig.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ipconfig.exe

pid process

556 ipconfig.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rundll32.exe

pid process

4716 rundll32.exe

flow	pid	process
51	4532	cmd.exe

pid	process
556	ipconfig.exe

pid	process
4716	rundll32.exe
556	ipconfig.exe

pid	process
556	ipconfig.exe

pid	process
4716	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4008 wrote to memory of 4716	4008	rundll32.exe	rundll32.exe
PID 4008 wrote to memory of 4716	4008	rundll32.exe	rundll32.exe
PID 4008 wrote to memory of 4716	4008	rundll32.exe	rundll32.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe
PID 4716 wrote to memory of 556	4716	rundll32.exe	ipconfig.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d12471afe134cfaecadc6df2a7de16f54a9b0515f8d127ec44d650b90ea069fc.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d12471afe134cfaecadc6df2a7de16f54a9b0515f8d127ec44d650b90ea069fc.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\system32\ipconfig.exe"
3⤵
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Blocklisted process makes network request
PID:4532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-138-0x0000000004647000-0x0000000004657000-memory.dmp

Filesize
64KB

Download
memory/556-147-0x0000000004647000-0x0000000004657000-memory.dmp

Filesize
64KB

Download
memory/556-134-0x0000000000000000-mapping.dmp

Download
memory/556-139-0x00007FFC2FB50000-0x00007FFC2FD45000-memory.dmp

Filesize
2.0MB

Download
memory/556-136-0x0000000004640000-0x000000000467F000-memory.dmp

Filesize
252KB

Download
memory/556-137-0x0000000000910000-0x0000000000918000-memory.dmp

Filesize
32KB

Download
memory/4532-141-0x00007FFC2FB50000-0x00007FFC2FD45000-memory.dmp

Filesize
2.0MB

Download
memory/4532-140-0x0000000000000000-mapping.dmp

Download
memory/4532-142-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/4532-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-135-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/4716-132-0x0000000000000000-mapping.dmp

Download
memory/4716-133-0x0000000002180000-0x0000000002724000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing