netwire | ddb36550d76aab46cf84a855f0e242d45a7fa4576f1b162fcf41026defecdc3d

General

Target

3aece3473d0dc78b33efce273ac23626.exe
Size

1.2MB
MD5

3aece3473d0dc78b33efce273ac23626
SHA1

64b35b31e90f6d569df2195f312f31d0d499a971
SHA256

ddb36550d76aab46cf84a855f0e242d45a7fa4576f1b162fcf41026defecdc3d
SHA512

77e81bf73fd795c9ece63b1eb8d0021bfaee3b6ac64d6cbe5a758e69666969b26451958622e9a2ac1fe00f4f907f2d69238c8b1cfa6cd5887e6bc83cff7d9284
SSDEEP

24576:1AOcZu3wPvjWH0+74RZ5bM3+vT9TFsXc6z1F/iI:/NGjx+8m3uT9TWM6z1F/D

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

harold.ns01.info:3606

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Netwir
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
pHJVBoFH
offline_keylogger
true
password
master12
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2968-77-0x00000000003F0000-0x0000000000981000-memory.dmp	netwire
behavioral1/memory/2968-79-0x00000000003F0000-0x0000000000981000-memory.dmp	netwire
behavioral1/memory/2968-80-0x00000000003F0000-0x0000000000981000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
2672	icvsbsh.pif

Loads dropped DLL 4 IoCs

pid	Process
2252	3aece3473d0dc78b33efce273ac23626.exe
2252	3aece3473d0dc78b33efce273ac23626.exe
2252	3aece3473d0dc78b33efce273ac23626.exe
2252	3aece3473d0dc78b33efce273ac23626.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\11195509\\icvsbsh.pif C:\\Users\\Admin\\AppData\\Roaming\\11195509\\moeebd.wrc"	icvsbsh.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2968	2672	icvsbsh.pif	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2672	2252	3aece3473d0dc78b33efce273ac23626.exe	28
PID 2252 wrote to memory of 2672	2252	3aece3473d0dc78b33efce273ac23626.exe	28
PID 2252 wrote to memory of 2672	2252	3aece3473d0dc78b33efce273ac23626.exe	28
PID 2252 wrote to memory of 2672	2252	3aece3473d0dc78b33efce273ac23626.exe	28
PID 2672 wrote to memory of 2968	2672	icvsbsh.pif	31
PID 2672 wrote to memory of 2968	2672	icvsbsh.pif	31
PID 2672 wrote to memory of 2968	2672	icvsbsh.pif	31
PID 2672 wrote to memory of 2968	2672	icvsbsh.pif	31
PID 2672 wrote to memory of 2968	2672	icvsbsh.pif	31
PID 2672 wrote to memory of 2968	2672	icvsbsh.pif	31
PID 2672 wrote to memory of 2968	2672	icvsbsh.pif	31
PID 2672 wrote to memory of 2968	2672	icvsbsh.pif	31
PID 2672 wrote to memory of 2968	2672	icvsbsh.pif	31

C:\Users\Admin\AppData\Local\Temp\3aece3473d0dc78b33efce273ac23626.exe
"C:\Users\Admin\AppData\Local\Temp\3aece3473d0dc78b33efce273ac23626.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Roaming\11195509\icvsbsh.pif
  "C:\Users\Admin\AppData\Roaming\11195509\icvsbsh.pif" moeebd.wrc
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\11195509\icvsbsh.pif

Filesize
375KB

MD5
a5c843387d16a3c5662ba074146a9627

SHA1
f1559cdf65d84b74bcbad8cd6c65952b84ce2141

SHA256
4b06b917f60678255c44d2236525fc947bf09200807f49417762a5cbb6ada8b9

SHA512
813d86e15b885de3ea9ff79af9fdec11d45482d4491597f9956e2cf344942d37c1999faa9b38dc968a877dc8663c41617fede97ebcbfd11f27ed4a37dfb4afa6

Download Submit
C:\Users\Admin\AppData\Roaming\11195509\icvsbsh.pif

Filesize
381KB

MD5
a3699593324c486bce63d75c0349acb5

SHA1
12c738012bdecf3487c685c061c2d39fdad47bd1

SHA256
3e2054ba00e358a223f51e8d6eb9864fed1a1e04e5818ec3146f01a4545eb403

SHA512
145ab02d66ed688594a5d3ffb3bfd25dbcc67199c6f7b008206489eede39badba1841487b693d32aa796ad154940e2ad0e5819974dac2b9bca1ab690c458625d

Download Submit
C:\Users\Admin\AppData\Roaming\11195509\moeebd.wrc

Filesize
3KB

MD5
81f715895eaf6cb26d70c02bbf3b3b04

SHA1
950ee5ba593cfdf61d0cd25d8a58f0b41da97d5e

SHA256
041fc8a754d6843e5620103fbef6f2f4623ea1b36dc3322298c0c0c40b6234eb

SHA512
9c14385dfed453b8641712f9a30a76617037458ca8ebdde97455c5fc435e5c969ad8066b96107301934ac9e16fcc18db530f5b66257c8812a671e09990805184

Download Submit
C:\Users\Admin\AppData\Roaming\11195509\vjinxgxa.bin

Filesize
374KB

MD5
5d270497c5c172965dfec6b43cc1812a

SHA1
35f39071e5e735595dbdeda6c4e8ed46971f11d3

SHA256
6ce0736631e05712d72b2c0b4d3f85343907cdc02bb389419bf55ad4b8e69f62

SHA512
3ab7eda1d5f52274db633df06f1a9cb3a56d519560f819a03533ffb6ce1fb762dd07306e81b13c7da0990649415defd9fb4935775d0c10b71d085be8a7aa5d18

Download Submit
\Users\Admin\AppData\Roaming\11195509\icvsbsh.pif

Filesize
348KB

MD5
7dc3391e3459f95795fadadab6660e4a

SHA1
875971135edc2855bfe1630bbb37af406fe6bb24

SHA256
f486a5e0bc52bf512f5778ea4d0f089af02499f87570508d2d86b7bc96888b19

SHA512
89f5d553cad2aaffe78737d19923f8b95b7f8f15b3152c2038e5b00124d4df1a0bcf257ca43f2b46ae920c84ab7649bcb5037c22b7cdfd901f6134e1fbc6e061

Download Submit
\Users\Admin\AppData\Roaming\11195509\icvsbsh.pif

Filesize
670KB

MD5
adfcea78d75201b3e076ad5cd5e03024

SHA1
078a991833264fbd26fbe36368a8e5b7d80451fd

SHA256
6ca83be643d77af8da636b80200781881cb6c4a9a1ad60d910c65d354478b7db

SHA512
4427fb89c0b787fad0c34e2c736938e5b78bfef7f7fb55800d761f1044a2acce6b208fcda5ecd93fe13949acdf74c27bd8ed3df8bc210af65fd896aa246bb9da

Download Submit
memory/2968-77-0x00000000003F0000-0x0000000000981000-memory.dmp

Filesize
5.6MB

Download
memory/2968-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2968-75-0x00000000003F0000-0x0000000000981000-memory.dmp

Filesize
5.6MB

Download
memory/2968-79-0x00000000003F0000-0x0000000000981000-memory.dmp

Filesize
5.6MB

Download
memory/2968-80-0x00000000003F0000-0x0000000000981000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads