netwire | 467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6

General

Target

467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe
Size

750KB
MD5

278373101cd2d204770e3c8a364eab7f
SHA1

4f693009a539fa5179ac1d0e9c52e9f9f87c8032
SHA256

467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6
SHA512

a9cfe1ce7ca9e10c78c2aaff8175a24567a378ebd0f45802ad63bd590c3b23b1d59be8cd35a32d5bba334dacdc93accba9169c00110a922cc705889963cd101d
SSDEEP

12288:YYzfWMiSSSSSSSSSSSSSSSS8SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSh:YYr7iSSSSSSSSSSSSSSSS8SSSSSSSSS5

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

oneness.duckdns.org:3368

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
INFLOWS
lock_executable
false
offline_keylogger
false
password
Shedyville
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/904-67-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

aetzw.exeaetzw.exe

pid process

1376 aetzw.exe
904 aetzw.exe

pid	process
1376	aetzw.exe
904	aetzw.exe

Loads dropped DLL 3 IoCs

Processes:

467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exeaetzw.exe

pid	process
2016	467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe
2016	467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe
1376	aetzw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aetzw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\abjewyslgnygb = "C:\\Users\\Admin\\AppData\\Roaming\\utrvljomikp\\hfifqoxdy.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\aetzw.exe\" C:\\Users\\Admin\\AppData\\Loca"	aetzw.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

aetzw.exe

description pid process target process

PID 1376 set thread context of 904 1376 aetzw.exe aetzw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

aetzw.exe

pid process

1376 aetzw.exe

description	pid	process	target process
PID 1376 set thread context of 904	1376	aetzw.exe	aetzw.exe

pid	process
1376	aetzw.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exeaetzw.exe

description	pid	process	target process
PID 2016 wrote to memory of 1376	2016	467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe	aetzw.exe
PID 2016 wrote to memory of 1376	2016	467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe	aetzw.exe
PID 2016 wrote to memory of 1376	2016	467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe	aetzw.exe
PID 2016 wrote to memory of 1376	2016	467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe	aetzw.exe
PID 1376 wrote to memory of 904	1376	aetzw.exe	aetzw.exe
PID 1376 wrote to memory of 904	1376	aetzw.exe	aetzw.exe
PID 1376 wrote to memory of 904	1376	aetzw.exe	aetzw.exe
PID 1376 wrote to memory of 904	1376	aetzw.exe	aetzw.exe
PID 1376 wrote to memory of 904	1376	aetzw.exe	aetzw.exe

C:\Users\Admin\AppData\Local\Temp\467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe
"C:\Users\Admin\AppData\Local\Temp\467ef57122a909dadc6824af7c479e429cbd53428edece7472eec5993c2568d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\aetzw.exe
"C:\Users\Admin\AppData\Local\Temp\aetzw.exe" C:\Users\Admin\AppData\Local\Temp\smxytwf.qx
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\aetzw.exe
"C:\Users\Admin\AppData\Local\Temp\aetzw.exe"
3⤵
- Executes dropped EXE
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aetzw.exe
Filesize
53KB

MD5
508c44cc4fe0cbc09ea9910c18d0cd2a

SHA1
e0339a970aef3f4e7806d06a35816eb6c9fcee4d

SHA256
5e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac

SHA512
6962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\aetzw.exe
Filesize
53KB

MD5
508c44cc4fe0cbc09ea9910c18d0cd2a

SHA1
e0339a970aef3f4e7806d06a35816eb6c9fcee4d

SHA256
5e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac

SHA512
6962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\aetzw.exe
Filesize
53KB

MD5
508c44cc4fe0cbc09ea9910c18d0cd2a

SHA1
e0339a970aef3f4e7806d06a35816eb6c9fcee4d

SHA256
5e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac

SHA512
6962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiatkujj.wma
Filesize
292KB

MD5
ac29d4e9d2b825be8aed38b96e306f55

SHA1
117eff1b5269061b65d1f8a21c63a94ff9d2ab04

SHA256
8042a2fd282f5b166a4375d9231cc237bd3d2ff83f3e8d7472e8c85c2a915ae7

SHA512
9de8bd9f2da59d8cab2d371b0a3985542d2029f5e95d1664e0615c6a01ee16ed31430cb7fd9b9247d2f8d8381aa351208624d363830efe3d044c131b31daee79

Download Submit
C:\Users\Admin\AppData\Local\Temp\smxytwf.qx
Filesize
7KB

MD5
acba89ee944a157d5c5e7a57a8d06980

SHA1
de79abec32290a858a98e3d2ae043bced4b6f01a

SHA256
aa5877d424a9ef6611da85bceacec4175469f5c6033b5ee927b98e4e2c7b8581

SHA512
4f07c07c712fa6cf4ef39298425d25005923c534ce45704a40384086f2a7ec3c9e044724c50e38fbc2a94c04fb07482430596e8cf9ebcfc9b6ef8c54b98bcb71

Download Submit
\Users\Admin\AppData\Local\Temp\aetzw.exe
Filesize
53KB

MD5
508c44cc4fe0cbc09ea9910c18d0cd2a

SHA1
e0339a970aef3f4e7806d06a35816eb6c9fcee4d

SHA256
5e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac

SHA512
6962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55

Download Submit
\Users\Admin\AppData\Local\Temp\aetzw.exe
Filesize
53KB

MD5
508c44cc4fe0cbc09ea9910c18d0cd2a

SHA1
e0339a970aef3f4e7806d06a35816eb6c9fcee4d

SHA256
5e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac

SHA512
6962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55

Download Submit
\Users\Admin\AppData\Local\Temp\aetzw.exe
Filesize
53KB

MD5
508c44cc4fe0cbc09ea9910c18d0cd2a

SHA1
e0339a970aef3f4e7806d06a35816eb6c9fcee4d

SHA256
5e12027a35d653b17c3e9ad814cca0e8bbd7d68db0fd11b4a98cdf7d1b9a61ac

SHA512
6962e6239f8afbe7255a56c820435467ad74079882e28fe6d460d93cc2307b8c3fb722000c867c6020a50f01f0599444a54322ad44161d91adb4b055833e9d55

Download Submit
memory/904-64-0x000000000041AD7B-mapping.dmp

Download
memory/904-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1376-57-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads