netwire | 34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5

General

Target

34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe
Size

453KB
MD5

a7c46dcd7583f9b2fdca60638393fe3d
SHA1

9d095498c250a1c8b8c1b9b7064d7be934b0ac1a
SHA256

34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5
SHA512

7e588fd29d927c232efcf1ab7334e0ee663c6b67bbd819823cb093d9787ceb5fbadd56a11145107bafe120889d4c1acc425e7ca2cf42fa1b5cb01437e25cda47
SSDEEP

12288:yhKODnJnFSRyDy/J9JLtpx+/tADdzw/aFo:yoOHSSaPJh+/tADdI

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

haija.mine.nu:1338

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Marketplace
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
qays1122
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4588-135-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4588-145-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4588-149-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

228 svchost.exe

pid	process
228	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Experience.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Experience.exe"	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe

description	pid	process	target process
PID 3060 set thread context of 4588	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 set thread context of 228	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe

pid	process
3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe
3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe

description pid process

Token: SeDebugPrivilege 3060 34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe

description	pid	process
Token: SeDebugPrivilege	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe

description	pid	process	target process
PID 3060 wrote to memory of 4588	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 4588	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 4588	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 4588	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 4588	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 4588	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 4588	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 4588	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 4588	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 4588	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 4588	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 1552	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 1552	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 1552	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 228	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 228	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 228	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 228	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 228	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 228	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 228	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 228	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 228	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe
PID 3060 wrote to memory of 228	3060	34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe
"C:\Users\Admin\AppData\Local\Temp\34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWow64\svchost.exe
"C:\\Windows\\SysWow64\\svchost.exe"
2⤵
PID:4588

C:\Windows\SysWow64\svchost.exe
"C:\\Windows\\SysWow64\\svchost.exe"
2⤵
PID:1552

C:\Windows\SysWow64\svchost.exe
"C:\\Windows\\SysWow64\\svchost.exe"
2⤵
- Loads dropped DLL
PID:228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll
Filesize
234KB

MD5
6f8b0021a206e48a50986333b87a5245

SHA1
b650435b6e1a0cc59e2c232f83a9796770f85f96

SHA256
326ca48a87c1e82e1fcaf95acd5b8c09d92f712591ba88928f48e093c485c40a

SHA512
b7f066786f20934148d718689fbcdf830a0a04ebf46092c48b6ec06ef5a989518cb23659a7ecbcef5b689a58546f2ac688a861887611cd3ee62b8ade62b4cc27

Download Submit
memory/228-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/228-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/228-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/228-148-0x0000000075300000-0x0000000075353000-memory.dmp

Filesize
332KB

Download
memory/3060-133-0x00000000000F0000-0x0000000000166000-memory.dmp

Filesize
472KB

Download
memory/3060-134-0x000000001D3A0000-0x000000001D3B0000-memory.dmp

Filesize
64KB

Download
memory/4588-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads