netwire | 0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d

General

Target

0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe
Size

272KB
MD5

c392e134b254a10d3007c4860ac06d95
SHA1

0b50a024e07b0da75e5080486e2d41634ef6a971
SHA256

0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d
SHA512

3c7dbde9e79bf60de935d26de42c17cef1d81938eb2e08256e0be2f72646a21cb9daf34866bd54725c330f90fea106e10f500922de4f34135d6c187bee871a09
SSDEEP

6144:wcCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzcoeqqD9dIx:wcXiQfipPrb08rTj6+pGWq4x

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

94.156.189.115:53

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Router\CheckLink.exe
keylogger_dir
TestLink.lnk
lock_executable
false
mutex
pHGKnPeU
offline_keylogger
false
password
1qaz2wsx.
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Router\CheckLink.exe	netwire
C:\Users\Admin\AppData\Roaming\Router\CheckLink.exe	netwire
\Users\Admin\AppData\Roaming\Router\CheckLink.exe	netwire
C:\Users\Admin\AppData\Roaming\Router\CheckLink.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Deletes itself 1 IoCs

Processes:

CheckLink.exe

pid process

1680 CheckLink.exe
Drops startup file 1 IoCs

Processes:

CheckLink.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk CheckLink.exe
Executes dropped EXE 1 IoCs

Processes:

CheckLink.exe

pid process

1680 CheckLink.exe
Loads dropped DLL 2 IoCs

Processes:

0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exeCheckLink.exe

pid process

1948 0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe
1680 CheckLink.exe
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 94.156.189.115
Destination IP 94.156.189.115
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1680	CheckLink.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk	CheckLink.exe

pid	process
1680	CheckLink.exe

pid	process
1948	0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe
1680	CheckLink.exe

description	ioc
Destination IP	94.156.189.115
Destination IP	94.156.189.115

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe

description	pid	process	target process
PID 1948 wrote to memory of 1680	1948	0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe	CheckLink.exe
PID 1948 wrote to memory of 1680	1948	0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe	CheckLink.exe
PID 1948 wrote to memory of 1680	1948	0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe	CheckLink.exe
PID 1948 wrote to memory of 1680	1948	0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe	CheckLink.exe

C:\Users\Admin\AppData\Local\Temp\0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe
"C:\Users\Admin\AppData\Local\Temp\0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\Router\CheckLink.exe
"C:\Users\Admin\AppData\Roaming\Router\CheckLink.exe" -m "C:\Users\Admin\AppData\Local\Temp\0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe"
2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Router\CheckLink.exe
Filesize
272KB

MD5
c392e134b254a10d3007c4860ac06d95

SHA1
0b50a024e07b0da75e5080486e2d41634ef6a971

SHA256
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d

SHA512
3c7dbde9e79bf60de935d26de42c17cef1d81938eb2e08256e0be2f72646a21cb9daf34866bd54725c330f90fea106e10f500922de4f34135d6c187bee871a09

Download Submit
C:\Users\Admin\AppData\Roaming\Router\CheckLink.exe
Filesize
272KB

MD5
c392e134b254a10d3007c4860ac06d95

SHA1
0b50a024e07b0da75e5080486e2d41634ef6a971

SHA256
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d

SHA512
3c7dbde9e79bf60de935d26de42c17cef1d81938eb2e08256e0be2f72646a21cb9daf34866bd54725c330f90fea106e10f500922de4f34135d6c187bee871a09

Download Submit
\Users\Admin\AppData\Roaming\Router\CheckLink.exe
Filesize
272KB

MD5
c392e134b254a10d3007c4860ac06d95

SHA1
0b50a024e07b0da75e5080486e2d41634ef6a971

SHA256
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d

SHA512
3c7dbde9e79bf60de935d26de42c17cef1d81938eb2e08256e0be2f72646a21cb9daf34866bd54725c330f90fea106e10f500922de4f34135d6c187bee871a09

Download Submit
\Users\Admin\AppData\Roaming\Router\CheckLink.exe
Filesize
272KB

MD5
c392e134b254a10d3007c4860ac06d95

SHA1
0b50a024e07b0da75e5080486e2d41634ef6a971

SHA256
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d

SHA512
3c7dbde9e79bf60de935d26de42c17cef1d81938eb2e08256e0be2f72646a21cb9daf34866bd54725c330f90fea106e10f500922de4f34135d6c187bee871a09

Download Submit

Analysis

Sharing