netwire | 7654eb53d495fab9d93ca0d1deb92538536c3fb8a01619615328ae70d365243c

General

Target

53b5306d77c1b44d375ebca82dd680ce.exe
Size

3.1MB
MD5

53b5306d77c1b44d375ebca82dd680ce
SHA1

49ecb91d93136097f0cf9b6691effdf6fe4b755c
SHA256

7654eb53d495fab9d93ca0d1deb92538536c3fb8a01619615328ae70d365243c
SHA512

1e5baf3f7d892fb7ef1abe9ddf6bc28c039c764c730e3837bea57719579f507eff965688efc6cbdc74259640cb5f500102f51111dda5a434e5f01686babcc8e3
SSDEEP

49152:ch+ZkldoPK8YaYT6Ce9IwaCVV6GGMSqBhjwjHsNaw1kFe0wrkKqFKyqgUqvxu1yQ:N2cPK8hIwaeV6GG9iawuFB6NDglk1P

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

clients.enigmasolutions.xyz:54573

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Cleint-%Rand%
install_path
%AppData%\Microsoft\Speech\eurj.exe
keylogger_dir
%AppData%\msr\
lock_executable
false
offline_keylogger
true
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
registry_autorun
true
startup_name
eurj
use_mutex
false

Signatures

NetWire RAT payload 12 IoCs

rat

resource	yara_rule
behavioral1/memory/2336-10-0x00000000005D0000-0x0000000000636000-memory.dmp	netwire
behavioral1/memory/2336-13-0x00000000005D0000-0x0000000000636000-memory.dmp	netwire
behavioral1/memory/2656-27-0x00000000004C0000-0x00000000004F0000-memory.dmp	netwire
behavioral1/memory/2336-31-0x00000000005D0000-0x0000000000636000-memory.dmp	netwire
behavioral1/memory/2656-33-0x00000000004C0000-0x00000000004F0000-memory.dmp	netwire
behavioral1/memory/2656-29-0x00000000004C0000-0x00000000004F0000-memory.dmp	netwire
behavioral1/memory/2676-55-0x0000000000F90000-0x0000000000FF6000-memory.dmp	netwire
behavioral1/memory/2464-69-0x00000000003B0000-0x00000000003E0000-memory.dmp	netwire
behavioral1/memory/2464-72-0x00000000003B0000-0x00000000003E0000-memory.dmp	netwire
behavioral1/memory/2676-74-0x0000000000F90000-0x0000000000FF6000-memory.dmp	netwire
behavioral1/memory/2464-75-0x00000000003B0000-0x00000000003E0000-memory.dmp	netwire
behavioral1/memory/2464-76-0x00000000003B0000-0x00000000003E0000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 2 IoCs

pid	Process
2676	eurj.exe
2464	eurj.exe

Loads dropped DLL 1 IoCs

pid	Process
2656	53b5306d77c1b44d375ebca82dd680ce.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\eurj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Speech\\eurj.exe"	eurj.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0038000000016d1e-38.dat	autoit_exe
behavioral1/files/0x0038000000016d1e-39.dat	autoit_exe
behavioral1/files/0x0038000000016d1e-35.dat	autoit_exe
behavioral1/files/0x0038000000016d1e-70.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 2656	2336	53b5306d77c1b44d375ebca82dd680ce.exe	28
PID 2676 set thread context of 2464	2676	eurj.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2656	2336	53b5306d77c1b44d375ebca82dd680ce.exe	28
PID 2336 wrote to memory of 2656	2336	53b5306d77c1b44d375ebca82dd680ce.exe	28
PID 2336 wrote to memory of 2656	2336	53b5306d77c1b44d375ebca82dd680ce.exe	28
PID 2336 wrote to memory of 2656	2336	53b5306d77c1b44d375ebca82dd680ce.exe	28
PID 2336 wrote to memory of 2656	2336	53b5306d77c1b44d375ebca82dd680ce.exe	28
PID 2336 wrote to memory of 2656	2336	53b5306d77c1b44d375ebca82dd680ce.exe	28
PID 2656 wrote to memory of 2676	2656	53b5306d77c1b44d375ebca82dd680ce.exe	29
PID 2656 wrote to memory of 2676	2656	53b5306d77c1b44d375ebca82dd680ce.exe	29
PID 2656 wrote to memory of 2676	2656	53b5306d77c1b44d375ebca82dd680ce.exe	29
PID 2656 wrote to memory of 2676	2656	53b5306d77c1b44d375ebca82dd680ce.exe	29
PID 2676 wrote to memory of 2464	2676	eurj.exe	32
PID 2676 wrote to memory of 2464	2676	eurj.exe	32
PID 2676 wrote to memory of 2464	2676	eurj.exe	32
PID 2676 wrote to memory of 2464	2676	eurj.exe	32
PID 2676 wrote to memory of 2464	2676	eurj.exe	32
PID 2676 wrote to memory of 2464	2676	eurj.exe	32

C:\Users\Admin\AppData\Local\Temp\53b5306d77c1b44d375ebca82dd680ce.exe
"C:\Users\Admin\AppData\Local\Temp\53b5306d77c1b44d375ebca82dd680ce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\53b5306d77c1b44d375ebca82dd680ce.exe
  C:\Users\Admin\AppData\Local\Temp\53b5306d77c1b44d375ebca82dd680ce.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\eurj.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\eurj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\eurj.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Speech\eurj.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\eurj.exe

Filesize
77KB

MD5
3d15062b7fa05e29bb011e00ebc611df

SHA1
14353a0050e4cdc7230a25a0209a0e3a8f5829e0

SHA256
91263f8d46791e011583234a8b1d5e41acc036cfddc4d60e26607589884a7e62

SHA512
d97ec08113ed4e190381e09ea91c9a2951cc4fd062837683d775e85e5b3c2ee445829845bdf12dbe49de2833fb154fc466578d17769df4b3075d8b964205a825

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\eurj.exe

Filesize
48KB

MD5
4b5a3d62fe5540c53d526a56f1af1807

SHA1
ab094a4f9d43ee50f9c7be7760519a26e94db92d

SHA256
aaa247a0bb996cb5414dbc5943a68c12f84ea06f44ce1f327910ae96416e6b67

SHA512
316d13097ab14b9d114a8624dc46c217c1dfff7bda804a8df63a42bf1fd20a53af2ba2e995ea6e936028acaf8d68a44f914482543598cd866312c9fc5a8e503e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\eurj.exe

Filesize
3.1MB

MD5
53b5306d77c1b44d375ebca82dd680ce

SHA1
49ecb91d93136097f0cf9b6691effdf6fe4b755c

SHA256
7654eb53d495fab9d93ca0d1deb92538536c3fb8a01619615328ae70d365243c

SHA512
1e5baf3f7d892fb7ef1abe9ddf6bc28c039c764c730e3837bea57719579f507eff965688efc6cbdc74259640cb5f500102f51111dda5a434e5f01686babcc8e3

Download Submit
C:\Users\Admin\AppData\Roaming\zolxpjteqgifgfyiykweoitan17960.png

Filesize
49KB

MD5
2314d54783698707601c1844eba335e9

SHA1
27a0854f7fd8da395fec86f0a8255fcb8389710e

SHA256
2831eebb226d7e5a9fc10c626baa925115a0c968f36140dc71707fddea98d2d0

SHA512
3b4036a54310165561e8c4653ec3a0fbf05140b3a7abf42e21eaa8810208249ac15cb26c4c21966285b11482b8baeb65d716dec6173f31586876496d3826a149

Download Submit
C:\Users\Admin\AppData\Roaming\zolxpjteqgifgfyiykweoitan17960.png

Filesize
395KB

MD5
091a530232f00ea62bc43aa1da1c7b10

SHA1
d71e651ad0bc568635ecce003a9430c60ff3938d

SHA256
be229a2a73cb4af85447dd79d25922dd0954cbbe05d60e671f723bdc03cb56de

SHA512
67d33486340e9044ef72404e75221f0ba646d5eda6783124a3fe94ee83548228e903f8c7fe6334eef41c41fb212b90360450985cd0dc9f462fc2abe2dda3c66d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Speech\eurj.exe

Filesize
58KB

MD5
13caa20fd41cda20d36339769d26ff16

SHA1
7fb3b9a1b991ec568435f8e6f3edf36f9f8df07a

SHA256
2d5c4c122a202229a2d59f5783ec8d062662640184254aa4f2b2f394b4e0f985

SHA512
81e39210eea4ab3e00dc01db30779345c57fbb8982c10ccd56fc391b610d9b17649838f5a41a81e2af283f656bf1f10f0c602afac3800d64ca843df463a97f1e

Download Submit
memory/2336-14-0x0000000002F30000-0x00000000030B0000-memory.dmp

Filesize
1.5MB

Download
memory/2336-10-0x00000000005D0000-0x0000000000636000-memory.dmp

Filesize
408KB

Download
memory/2336-13-0x00000000005D0000-0x0000000000636000-memory.dmp

Filesize
408KB

Download
memory/2336-16-0x0000000002F30000-0x00000000030B0000-memory.dmp

Filesize
1.5MB

Download
memory/2336-18-0x0000000002F30000-0x00000000030B0000-memory.dmp

Filesize
1.5MB

Download
memory/2336-20-0x0000000002F30000-0x00000000030B0000-memory.dmp

Filesize
1.5MB

Download
memory/2336-22-0x0000000002F30000-0x00000000030B0000-memory.dmp

Filesize
1.5MB

Download
memory/2336-6-0x00000000005D0000-0x0000000000636000-memory.dmp

Filesize
408KB

Download
memory/2336-11-0x0000000002F30000-0x00000000030B0000-memory.dmp

Filesize
1.5MB

Download
memory/2336-7-0x00000000005D0000-0x0000000000636000-memory.dmp

Filesize
408KB

Download
memory/2336-31-0x00000000005D0000-0x0000000000636000-memory.dmp

Filesize
408KB

Download
memory/2336-8-0x00000000005D0000-0x0000000000636000-memory.dmp

Filesize
408KB

Download
memory/2336-9-0x00000000005D0000-0x0000000000636000-memory.dmp

Filesize
408KB

Download
memory/2464-69-0x00000000003B0000-0x00000000003E0000-memory.dmp

Filesize
192KB

Download
memory/2464-67-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2464-72-0x00000000003B0000-0x00000000003E0000-memory.dmp

Filesize
192KB

Download
memory/2464-75-0x00000000003B0000-0x00000000003E0000-memory.dmp

Filesize
192KB

Download
memory/2464-76-0x00000000003B0000-0x00000000003E0000-memory.dmp

Filesize
192KB

Download
memory/2656-29-0x00000000004C0000-0x00000000004F0000-memory.dmp

Filesize
192KB

Download
memory/2656-33-0x00000000004C0000-0x00000000004F0000-memory.dmp

Filesize
192KB

Download
memory/2656-24-0x00000000004C0000-0x00000000004F0000-memory.dmp

Filesize
192KB

Download
memory/2656-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2656-27-0x00000000004C0000-0x00000000004F0000-memory.dmp

Filesize
192KB

Download
memory/2676-55-0x0000000000F90000-0x0000000000FF6000-memory.dmp

Filesize
408KB

Download
memory/2676-74-0x0000000000F90000-0x0000000000FF6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads