netwire | 92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77

General

Target

92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe
Size

1.1MB
MD5

4cebadb09cb1c3823c181fddb594bfac
SHA1

4398791a02dcfbe616a63f68d1bb3721e51d071e
SHA256

92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77
SHA512

ea6502cc39d5e83411db629820f9c43c20876bd4554bf2f8f80ba79f6372552486c09693a6a416aaa1d1d5325c2cf33437b888d022398785eb69a58759372bcc
SSDEEP

12288:LRG7xFeew+B6PVaJvEUNItZTWtAFpnxkhwIBlEvbkE3BAUVwUU9SlqjQt8MpsPTU:UlJvEUNeWapn+aIBlEvYIbKbcIAIT

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Extracted

Family

netwire

C2

bedahogs.100chickens.me:6065

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Msc.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
ABsbWEPM
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
MscRun
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3060-75-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/3060-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/3060-79-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/3060-83-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Audio-card.exeMsc.exe

pid process

588 Audio-card.exe
3036 Msc.exe

pid	process
588	Audio-card.exe
3036	Msc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/316-55-0x0000000000400000-0x000000000065A000-memory.dmp	upx
behavioral1/memory/316-59-0x0000000000400000-0x000000000065A000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exesecinit.exe

pid process

316 92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe
3060 secinit.exe

pid	process
316	92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe
3060	secinit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

secinit.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\kjsfjfb = "C:\\Users\\Admin\\AppData\\Local\\kjsfjfb\\kjsfjfb.vbs"	secinit.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

secinit.exe

description pid process target process

PID 472 set thread context of 3060 472 secinit.exe secinit.exe

description	pid	process	target process
PID 472 set thread context of 3060	472	secinit.exe	secinit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exeAudio-card.exe

description	pid	process	target process
PID 316 wrote to memory of 588	316	92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe	Audio-card.exe
PID 316 wrote to memory of 588	316	92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe	Audio-card.exe
PID 316 wrote to memory of 588	316	92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe	Audio-card.exe
PID 316 wrote to memory of 588	316	92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe	Audio-card.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe
PID 588 wrote to memory of 472	588	Audio-card.exe	secinit.exe

C:\Users\Admin\AppData\Local\Temp\92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe
"C:\Users\Admin\AppData\Local\Temp\92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Audio-card.exe
C:\Users\Admin\AppData\Local\Audio-card.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\secinit.exe
secinit.exe
3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:472

C:\Windows\SysWOW64\secinit.exe
"C:\Windows\SysWOW64\secinit.exe"
4⤵
- Loads dropped DLL
PID:3060

C:\Users\Admin\AppData\Roaming\Install\Msc.exe
"C:\Users\Admin\AppData\Roaming\Install\Msc.exe"
5⤵
- Executes dropped EXE
PID:3036

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Audio-card.exe
Filesize
415KB

MD5
071e878e51a3e0526f59d3286997fe40

SHA1
123c462733a813330a2a1a36f190ee8b998f2bf4

SHA256
88b16b728a33008b87cc77e05940b019662b0a3444b1148b0f732334ed73dc9b

SHA512
275814e27d60da65ad5605a034b0ca4e227689be91002f982ef22adfae7ca0310fe862dfda91a7ee4a823a3fe7be70ff97f50ecc445bda579ebf65c0dd99b282

Download Submit
C:\Users\Admin\AppData\Local\Audio-card.exe
Filesize
415KB

MD5
071e878e51a3e0526f59d3286997fe40

SHA1
123c462733a813330a2a1a36f190ee8b998f2bf4

SHA256
88b16b728a33008b87cc77e05940b019662b0a3444b1148b0f732334ed73dc9b

SHA512
275814e27d60da65ad5605a034b0ca4e227689be91002f982ef22adfae7ca0310fe862dfda91a7ee4a823a3fe7be70ff97f50ecc445bda579ebf65c0dd99b282

Download Submit
C:\Users\Admin\AppData\Local\Tm.bmp
Filesize
748KB

MD5
480bd13fcf1b99fe682ff494281a406c

SHA1
e98090f5b7ae6ca8282d4630c62fc9f3de674061

SHA256
b2713562600e3e84e445895f1ae224f0ec89963011c37e8cba2706c6638ca276

SHA512
453a2f201c947d8a72fb8432ab10afc05f2305c7ec00fb5f996baf88a759587f32f4fa78387c206547a1ba598ab6f9311bfef4fa927d69b8831f0e2caef4ec05

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Msc.exe
Filesize
14KB

MD5
4297f5d9be5f4b5b11a44a7a6aa12fb7

SHA1
bfd42ee4aac000d6f62b7a21dba827f71bdbff1f

SHA256
4e1e9512ceac308b289e4ef168de9cf9ad30c828ed0df75e6a0afd87af2901b7

SHA512
3b232fcc111793aa0de9a1b95423b0269c1c5ff6d5c8d16b2a111e5f3a17cb9619e8f048210adac157980996dedd0ef2236f0b8711577121504b11abe3eb8980

Download Submit
\Users\Admin\AppData\Local\Audio-card.exe
Filesize
415KB

MD5
071e878e51a3e0526f59d3286997fe40

SHA1
123c462733a813330a2a1a36f190ee8b998f2bf4

SHA256
88b16b728a33008b87cc77e05940b019662b0a3444b1148b0f732334ed73dc9b

SHA512
275814e27d60da65ad5605a034b0ca4e227689be91002f982ef22adfae7ca0310fe862dfda91a7ee4a823a3fe7be70ff97f50ecc445bda579ebf65c0dd99b282

Download Submit
\Users\Admin\AppData\Roaming\Install\Msc.exe
Filesize
14KB

MD5
4297f5d9be5f4b5b11a44a7a6aa12fb7

SHA1
bfd42ee4aac000d6f62b7a21dba827f71bdbff1f

SHA256
4e1e9512ceac308b289e4ef168de9cf9ad30c828ed0df75e6a0afd87af2901b7

SHA512
3b232fcc111793aa0de9a1b95423b0269c1c5ff6d5c8d16b2a111e5f3a17cb9619e8f048210adac157980996dedd0ef2236f0b8711577121504b11abe3eb8980

Download Submit
memory/316-59-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/316-55-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/316-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/472-70-0x0000000010410000-0x00000000104AF000-memory.dmp

Filesize
636KB

Download
memory/472-63-0x0000000000000000-mapping.dmp

Download
memory/472-84-0x0000000010410000-0x00000000104AF000-memory.dmp

Filesize
636KB

Download
memory/588-64-0x0000000010410000-0x00000000104AF000-memory.dmp

Filesize
636KB

Download
memory/588-57-0x0000000000000000-mapping.dmp

Download
memory/3036-81-0x0000000000000000-mapping.dmp

Download
memory/3060-72-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3060-75-0x0000000000402BCB-mapping.dmp

Download
memory/3060-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3060-79-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3060-83-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads