netwire | 6238f606f5fd0fc1689731a503c42645ef7f383860071a4c70ad88d2c965102c

General

Target

2385d88ca5ab8b2b8bc155159d2592f2.exe
Size

4.8MB
MD5

2385d88ca5ab8b2b8bc155159d2592f2
SHA1

c233168d0f36fa55768690119955ba79eb3ddd85
SHA256

6238f606f5fd0fc1689731a503c42645ef7f383860071a4c70ad88d2c965102c
SHA512

8c0bd8f73ae112f6ec0aa2d5fb379a73819026250feaa43aed1bfc05ae7e805a7c632820ccc3cb28bfdd9baca9f0e4157ef4f4a22e5c01a843b6182c86671671
SSDEEP

98304:J2cPK8D+3cvKcBeITUhCBB5WKfEe5wsxBNB2+ODMiQmZwhtrUFY75sXmjl8T7g:wCKq+WcscCBaKfEex2++hZwhmEsXmR8Q

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

clients.enigmasolutions.xyz:54573

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
Cleint-%Rand%
install_path
%AppData%\Microsoft\Network\Network.exe
keylogger_dir
%AppData%\msr\
lock_executable
false
offline_keylogger
true
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
registry_autorun
true
startup_name
ruj
use_mutex
false

Signatures

NetWire RAT payload 12 IoCs

rat

resource	yara_rule
behavioral2/memory/2856-11-0x0000000003E90000-0x0000000003EF6000-memory.dmp	netwire
behavioral2/memory/2856-12-0x0000000003E90000-0x0000000003EF6000-memory.dmp	netwire
behavioral2/memory/2888-20-0x0000000001440000-0x0000000001470000-memory.dmp	netwire
behavioral2/memory/2888-22-0x0000000001440000-0x0000000001470000-memory.dmp	netwire
behavioral2/memory/2888-24-0x0000000001440000-0x0000000001470000-memory.dmp	netwire
behavioral2/memory/2856-26-0x0000000003E90000-0x0000000003EF6000-memory.dmp	netwire
behavioral2/memory/1532-51-0x0000000000D30000-0x0000000000D60000-memory.dmp	netwire
behavioral2/memory/1532-54-0x0000000000D30000-0x0000000000D60000-memory.dmp	netwire
behavioral2/memory/1532-55-0x0000000000D30000-0x0000000000D60000-memory.dmp	netwire
behavioral2/memory/3508-57-0x0000000004090000-0x00000000040F6000-memory.dmp	netwire
behavioral2/memory/3508-50-0x0000000004090000-0x00000000040F6000-memory.dmp	netwire
behavioral2/memory/1532-58-0x0000000000D30000-0x0000000000D60000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 2 IoCs

pid	Process
3508	Network.exe
1532	Network.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Network\\Network.exe"	Network.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000400000001e516-30.dat	autoit_exe
behavioral2/files/0x000400000001e516-35.dat	autoit_exe
behavioral2/files/0x000400000001e516-36.dat	autoit_exe
behavioral2/files/0x000400000001e516-52.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2856 set thread context of 2888	2856	2385d88ca5ab8b2b8bc155159d2592f2.exe	98
PID 3508 set thread context of 1532	3508	Network.exe	103

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2888	2856	2385d88ca5ab8b2b8bc155159d2592f2.exe	98
PID 2856 wrote to memory of 2888	2856	2385d88ca5ab8b2b8bc155159d2592f2.exe	98
PID 2856 wrote to memory of 2888	2856	2385d88ca5ab8b2b8bc155159d2592f2.exe	98
PID 2856 wrote to memory of 2888	2856	2385d88ca5ab8b2b8bc155159d2592f2.exe	98
PID 2856 wrote to memory of 2888	2856	2385d88ca5ab8b2b8bc155159d2592f2.exe	98
PID 2888 wrote to memory of 3508	2888	Process not Found	99
PID 2888 wrote to memory of 3508	2888	Process not Found	99
PID 2888 wrote to memory of 3508	2888	Process not Found	99
PID 3508 wrote to memory of 1532	3508	Network.exe	103
PID 3508 wrote to memory of 1532	3508	Network.exe	103
PID 3508 wrote to memory of 1532	3508	Network.exe	103
PID 3508 wrote to memory of 1532	3508	Network.exe	103
PID 3508 wrote to memory of 1532	3508	Network.exe	103

C:\Users\Admin\AppData\Local\Temp\2385d88ca5ab8b2b8bc155159d2592f2.exe
"C:\Users\Admin\AppData\Local\Temp\2385d88ca5ab8b2b8bc155159d2592f2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\2385d88ca5ab8b2b8bc155159d2592f2.exe
  C:\Users\Admin\AppData\Local\Temp\2385d88ca5ab8b2b8bc155159d2592f2.exe
  2⤵
  PID:2888
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\Network.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\Network.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Network\Network.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Network\Network.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut2333.tmp

Filesize
395KB

MD5
30ebadf5fba5ccaf94f4d955f007d509

SHA1
d1b2e8f00471c1223629b6037042e0cfe894ca50

SHA256
b60b511f3a0c7a5dc63aa5301a673a116cb7c97afc569ea054d7f18f3b21e17a

SHA512
3c0d7b63f4a9852e9d874db224b8fa9d91b360719c3faf21881bb80b95cdd5384c7a4b0aea586cb2d847b16c8fd178d1f2fb368897449dc01886a6b6b3f14a84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\Network.exe

Filesize
434KB

MD5
b53ea16b764fc9e0da085b8cce847611

SHA1
e67013239d2b579267c980ffe6a9b70cacb50196

SHA256
30eefc24909cbb1ea5e5e091f3ed46eada4f9ccd8e6158fd6cb7c91095c7e64b

SHA512
153793fa978c83eb51ccddb8414c811c4c24fd3a4fe09652fbdf428bf8b67516e29c542ae00a340d1ece64599816828067d3c462082dbea7f43c6492353de942

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\Network.exe

Filesize
385KB

MD5
93dbc069cc57ad5d36555eec2a9c7c42

SHA1
281a584af4da2780a1e57bf2f1982821f997d25d

SHA256
ea4e500b3c7087b82114a8e01e3d8cd32dd62b11abc96e591046a06a8304ee3c

SHA512
b303d7d50143e403054b43923f3df3445ab245abfdc6eeda7326599bb6d6fbe65c6a8145d9eade996efd462552133b848b29f7528d457ea9c0b7dd09c153058f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\Network.exe

Filesize
256KB

MD5
4449e80a2c78dcb7083c8a2669380ffb

SHA1
054c6af5371f63ae291b9713044f283e1d99617e

SHA256
45b25f8f27bebff55fe35e358d0512e79837eab6e266fe7a59a4299b602ff128

SHA512
faffa5208debd31224898e7e93b80065753b2d9a3da7a8989b6f938be129e906b43f1f9bfed4ad385e2a27513a13c034682c556c59b7b6594293d2ad2f8748af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\Network.exe

Filesize
265KB

MD5
cae777064aae4cce9bc741d98fa64173

SHA1
30af216a4ad4006b5d87724cebb5fcef92e66026

SHA256
921dab538aa7714ffec59f85edd0b69c918b47ee97dced0d0e67d073a6ec125f

SHA512
eb1dfa4e4d88b38a27209bbab1634a2b5890fb8de52fed85655e28d4e6b25200f98ed954c91dc84a9083d12731d6bfcbcdda1832ef1d3c97ab99b3bb4acf0155

Download Submit
memory/1532-58-0x0000000000D30000-0x0000000000D60000-memory.dmp

Filesize
192KB

Download
memory/1532-55-0x0000000000D30000-0x0000000000D60000-memory.dmp

Filesize
192KB

Download
memory/1532-54-0x0000000000D30000-0x0000000000D60000-memory.dmp

Filesize
192KB

Download
memory/1532-51-0x0000000000D30000-0x0000000000D60000-memory.dmp

Filesize
192KB

Download
memory/2856-13-0x00000000776D8000-0x00000000776D9000-memory.dmp

Filesize
4KB

Download
memory/2856-10-0x0000000003E90000-0x0000000003EF6000-memory.dmp

Filesize
408KB

Download
memory/2856-16-0x000000007767B000-0x000000007767C000-memory.dmp

Filesize
4KB

Download
memory/2856-15-0x00000000776C4000-0x00000000776C5000-memory.dmp

Filesize
4KB

Download
memory/2856-14-0x00000000776A0000-0x00000000776A1000-memory.dmp

Filesize
4KB

Download
memory/2856-7-0x0000000003E90000-0x0000000003EF6000-memory.dmp

Filesize
408KB

Download
memory/2856-8-0x0000000003E90000-0x0000000003EF6000-memory.dmp

Filesize
408KB

Download
memory/2856-26-0x0000000003E90000-0x0000000003EF6000-memory.dmp

Filesize
408KB

Download
memory/2856-17-0x00000000776AC000-0x00000000776AD000-memory.dmp

Filesize
4KB

Download
memory/2856-18-0x00000000776D7000-0x00000000776D8000-memory.dmp

Filesize
4KB

Download
memory/2856-19-0x000000007769C000-0x000000007769D000-memory.dmp

Filesize
4KB

Download
memory/2856-12-0x0000000003E90000-0x0000000003EF6000-memory.dmp

Filesize
408KB

Download
memory/2856-11-0x0000000003E90000-0x0000000003EF6000-memory.dmp

Filesize
408KB

Download
memory/2856-9-0x0000000003E90000-0x0000000003EF6000-memory.dmp

Filesize
408KB

Download
memory/2888-20-0x0000000001440000-0x0000000001470000-memory.dmp

Filesize
192KB

Download
memory/2888-24-0x0000000001440000-0x0000000001470000-memory.dmp

Filesize
192KB

Download
memory/2888-22-0x0000000001440000-0x0000000001470000-memory.dmp

Filesize
192KB

Download
memory/3508-57-0x0000000004090000-0x00000000040F6000-memory.dmp

Filesize
408KB

Download
memory/3508-50-0x0000000004090000-0x00000000040F6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads