netwire | fb03fa106a2462218ae3a74378da7b1d3f00b49600167c3918c88d84c7f1da36

General

Target

ee4f7e169e50ed14547ad93e313497a3.exe
Size

594KB
MD5

ee4f7e169e50ed14547ad93e313497a3
SHA1

f611237cf87fc5166c8169a349afee042a81312d
SHA256

fb03fa106a2462218ae3a74378da7b1d3f00b49600167c3918c88d84c7f1da36
SHA512

c50b61211690e56e3118617f5fa237d7379424a46d8c33a5608c0eaf4186b638b83f9fe9b212e17321d71d038b57b91942efa4420dee28a6a0158f3dedd3412b
SSDEEP

12288:2Jz0TrCqVM8UoAs4fg4xbFs9lLaAgev1pS4aCkFdqri9VWQMkbx/yMFqNfub:uirCkUo8fLBqmze9pS4a7qu9VdMkbIM/

Score

10^/10

netwire botnet persistence rat stealer upx

Malware Config

Extracted

Family

netwire

C2

automan.duckdns.org:3382

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
HDPAYslj
offline_keylogger
true
password
onelove82
registry_autorun
true
startup_name
NetWire
use_mutex
true

Signatures

NetWire RAT payload 11 IoCs

rat

resource	yara_rule
behavioral1/files/0x0009000000012246-2.dat	netwire
behavioral1/memory/2220-15-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2760-17-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2760-18-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2760-22-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2760-23-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2760-24-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2760-25-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2760-26-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2760-27-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/2760-28-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 2 IoCs

pid	Process
2220	test.exe
2760	Host.exe

Loads dropped DLL 4 IoCs

pid	Process
2232	cmd.exe
2232	cmd.exe
2220	test.exe
2220	test.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2620-0-0x0000000000400000-0x000000000055C000-memory.dmp	upx
behavioral1/memory/2620-16-0x0000000000400000-0x000000000055C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2232	2620	ee4f7e169e50ed14547ad93e313497a3.exe	29
PID 2620 wrote to memory of 2232	2620	ee4f7e169e50ed14547ad93e313497a3.exe	29
PID 2620 wrote to memory of 2232	2620	ee4f7e169e50ed14547ad93e313497a3.exe	29
PID 2620 wrote to memory of 2232	2620	ee4f7e169e50ed14547ad93e313497a3.exe	29
PID 2232 wrote to memory of 2220	2232	cmd.exe	30
PID 2232 wrote to memory of 2220	2232	cmd.exe	30
PID 2232 wrote to memory of 2220	2232	cmd.exe	30
PID 2232 wrote to memory of 2220	2232	cmd.exe	30
PID 2220 wrote to memory of 2760	2220	test.exe	31
PID 2220 wrote to memory of 2760	2220	test.exe	31
PID 2220 wrote to memory of 2760	2220	test.exe	31
PID 2220 wrote to memory of 2760	2220	test.exe	31

C:\Users\Admin\AppData\Local\Temp\ee4f7e169e50ed14547ad93e313497a3.exe
"C:\Users\Admin\AppData\Local\Temp\ee4f7e169e50ed14547ad93e313497a3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\test.exe

Filesize
127KB

MD5
947c706540a4f3083fc09dbbd20aa0d7

SHA1
b1add7d17a38b1d0e906ad86f034c6528bb371af

SHA256
d5e61bdd7736038993c3762a6a2192b2730a44562bde045fa95ba9e45525bc3c

SHA512
df794541bd7fe99058f5de6dd7e4e158a657aae31d00d464718f836a07f6a9af36b073a312586bfa7d4ad672c4fd58c6644b788eeb5fd20496d398383c1d7e23

Download Submit
memory/2220-15-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2620-0-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2620-16-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/2760-22-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2760-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2760-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2760-23-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2760-24-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2760-25-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2760-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2760-27-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2760-28-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads