netwire | 1006ff92e3892ac95548a7fc0764deeaa0078ff153dcd6053d889cf9aad19f4b

General

Target

4eb5b6684c39595331f022a4265b8fb8.exe
Size

1.3MB
MD5

4eb5b6684c39595331f022a4265b8fb8
SHA1

5e90672889ecc1dd530d140ddb956f54c5be0f4b
SHA256

1006ff92e3892ac95548a7fc0764deeaa0078ff153dcd6053d889cf9aad19f4b
SHA512

96b9a874467b2bfe8d870c394c05793e69c1b63661558c0187b7cd8febab136c4fad191c3363299dad74da5806e5061ef8a6b83a93cd78c79f13e0b6d82871bf
SSDEEP

24576:lTevS/yMaon/yHrtV0VXDFGjwLS9NFJ/AWid8F/2f7FNRr:IogwLS9NFJ4Wi2F/2f7FN1

Score

10^/10

netwire botnet rat stealer upx

Malware Config

Extracted

Family

netwire

C2

love82.duckdns.org:3382

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
OqvAvPni
offline_keylogger
true
password
onelove82
registry_autorun
true
startup_name
NetWire
use_mutex
true

Signatures

NetWire RAT payload 14 IoCs

rat

resource	yara_rule
behavioral2/memory/1896-13-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-15-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-16-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-17-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-18-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-19-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-20-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-21-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-22-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-23-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-24-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-25-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-26-0x0000000000400000-0x000000000042E000-memory.dmp	netwire
behavioral2/memory/4432-27-0x0000000000400000-0x000000000042E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
1896	test.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000f000000023124-2.dat	upx
behavioral2/memory/1896-3-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1896-13-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-25-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4432-27-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 2544	812	4eb5b6684c39595331f022a4265b8fb8.exe	22
PID 812 wrote to memory of 2544	812	4eb5b6684c39595331f022a4265b8fb8.exe	22
PID 812 wrote to memory of 2544	812	4eb5b6684c39595331f022a4265b8fb8.exe	22
PID 2544 wrote to memory of 1896	2544	cmd.exe	18
PID 2544 wrote to memory of 1896	2544	cmd.exe	18
PID 2544 wrote to memory of 1896	2544	cmd.exe	18

C:\Users\Admin\AppData\Local\Temp\4eb5b6684c39595331f022a4265b8fb8.exe
"C:\Users\Admin\AppData\Local\Temp\4eb5b6684c39595331f022a4265b8fb8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
1⤵
- Executes dropped EXE
PID:1896
- C:\Users\Admin\AppData\Roaming\Install\Host.exe
  "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
  2⤵
  PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
92KB

MD5
66c84c1476ffabae560eaf7676283766

SHA1
59199a727062a9c9207a8b94d699e4f5d9adab89

SHA256
98b3a8bfd80f538de595753024d384eeda3420322f15e0ba1d73f4202adbebea

SHA512
8d5b05f9f5c0352e292a6fac8d4eb963423d50f26bee9f87fd920a4b5ba2d3081641a4b1331856d9e34e65d3bf3268e8bc38e4a527de2ef9086b014529689ce7

Download Submit
memory/812-14-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/1896-3-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1896-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4432-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing