netwire | 92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77

General

Target

92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe
Size

1.1MB
MD5

4cebadb09cb1c3823c181fddb594bfac
SHA1

4398791a02dcfbe616a63f68d1bb3721e51d071e
SHA256

92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77
SHA512

ea6502cc39d5e83411db629820f9c43c20876bd4554bf2f8f80ba79f6372552486c09693a6a416aaa1d1d5325c2cf33437b888d022398785eb69a58759372bcc
SSDEEP

12288:LRG7xFeew+B6PVaJvEUNItZTWtAFpnxkhwIBlEvbkE3BAUVwUU9SlqjQt8MpsPTU:UlJvEUNeWapn+aIBlEvYIbKbcIAIT

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Extracted

Family

netwire

C2

bedahogs.100chickens.me:6065

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Msc.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
ABsbWEPM
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
MscRun
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1960-148-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1960-150-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1960-154-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Audio-card.exeMsc.exe

pid process

1124 Audio-card.exe
1484 Msc.exe

pid	process
1124	Audio-card.exe
1484	Msc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3740-132-0x0000000000400000-0x000000000065A000-memory.dmp	upx
behavioral2/memory/3740-136-0x0000000000400000-0x000000000065A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

secinit.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjsfjfb = "C:\\Users\\Admin\\AppData\\Local\\kjsfjfb\\kjsfjfb.vbs"	secinit.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

secinit.exe

description pid process target process

PID 4464 set thread context of 1960 4464 secinit.exe secinit.exe

description	pid	process	target process
PID 4464 set thread context of 1960	4464	secinit.exe	secinit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exeAudio-card.exe

description	pid	process	target process
PID 3740 wrote to memory of 1124	3740	92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe	Audio-card.exe
PID 3740 wrote to memory of 1124	3740	92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe	Audio-card.exe
PID 3740 wrote to memory of 1124	3740	92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe	Audio-card.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe
PID 1124 wrote to memory of 4464	1124	Audio-card.exe	secinit.exe

C:\Users\Admin\AppData\Local\Temp\92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe
"C:\Users\Admin\AppData\Local\Temp\92c1463643f84810e1d1379c2f13fb8f3acbd98fb8e2f151cfc871c4e6b6ec77.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Local\Audio-card.exe
C:\Users\Admin\AppData\Local\Audio-card.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\secinit.exe
secinit.exe
3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4464

C:\Windows\SysWOW64\secinit.exe
"C:\Windows\SysWOW64\secinit.exe"
4⤵
PID:1960

C:\Users\Admin\AppData\Roaming\Install\Msc.exe
"C:\Users\Admin\AppData\Roaming\Install\Msc.exe"
5⤵
- Executes dropped EXE
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Audio-card.exe
Filesize
415KB

MD5
071e878e51a3e0526f59d3286997fe40

SHA1
123c462733a813330a2a1a36f190ee8b998f2bf4

SHA256
88b16b728a33008b87cc77e05940b019662b0a3444b1148b0f732334ed73dc9b

SHA512
275814e27d60da65ad5605a034b0ca4e227689be91002f982ef22adfae7ca0310fe862dfda91a7ee4a823a3fe7be70ff97f50ecc445bda579ebf65c0dd99b282

Download Submit
C:\Users\Admin\AppData\Local\Audio-card.exe
Filesize
415KB

MD5
071e878e51a3e0526f59d3286997fe40

SHA1
123c462733a813330a2a1a36f190ee8b998f2bf4

SHA256
88b16b728a33008b87cc77e05940b019662b0a3444b1148b0f732334ed73dc9b

SHA512
275814e27d60da65ad5605a034b0ca4e227689be91002f982ef22adfae7ca0310fe862dfda91a7ee4a823a3fe7be70ff97f50ecc445bda579ebf65c0dd99b282

Download Submit
C:\Users\Admin\AppData\Local\Tm.bmp
Filesize
748KB

MD5
480bd13fcf1b99fe682ff494281a406c

SHA1
e98090f5b7ae6ca8282d4630c62fc9f3de674061

SHA256
b2713562600e3e84e445895f1ae224f0ec89963011c37e8cba2706c6638ca276

SHA512
453a2f201c947d8a72fb8432ab10afc05f2305c7ec00fb5f996baf88a759587f32f4fa78387c206547a1ba598ab6f9311bfef4fa927d69b8831f0e2caef4ec05

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Msc.exe
Filesize
9KB

MD5
3b4b8db765c75b8024a208ae6915223c

SHA1
21f946bbae92921eead50381370ec54e14f0aa08

SHA256
aa365888ab4e37156f06edf20049831ba7cd9203f6617a9632f1c8f3bcafe15a

SHA512
f865fc7f9c368212a4bb9f0a02b1fda92f2611e7bf08d10dd2bb1892e3c46c819ce3f76e96e2b32e6e72f6c6cdec2846613b861f7899f93b872b0c4f9a407591

Download Submit
memory/1124-140-0x0000000010410000-0x00000000104AF000-memory.dmp

Filesize
636KB

Download
memory/1124-133-0x0000000000000000-mapping.dmp

Download
memory/1484-152-0x0000000000000000-mapping.dmp

Download
memory/1960-154-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1960-147-0x0000000000000000-mapping.dmp

Download
memory/1960-148-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1960-150-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3740-132-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/3740-136-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/4464-146-0x0000000010410000-0x00000000104AF000-memory.dmp

Filesize
636KB

Download
memory/4464-151-0x0000000010410000-0x00000000104AF000-memory.dmp

Filesize
636KB

Download
memory/4464-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads