netwire | b29638fef231eba58ea2533bb14fc23362d2b85abe7e6387aca200a0c3a94f97

General

Target

5ddc7639a86c6272811ef5b3cbf06a2c.exe
Size

515KB
MD5

5ddc7639a86c6272811ef5b3cbf06a2c
SHA1

2efbb07cc0b65bd88598183cf88aa83adf2756e7
SHA256

b29638fef231eba58ea2533bb14fc23362d2b85abe7e6387aca200a0c3a94f97
SHA512

01d6ec8ea5ebba0dd7e0d99a2bfdcbb4c420ac74ac1a94b9b41537a285ae9e994d9082c2ece8767e4cc43f8e5094d6a59b3f304fe1a8931821d3932de3fde7b4
SSDEEP

12288:l94+i7AV0Rp6XSNs6vwPwLDtpU6CO+blYB0+fj2psp60:l9PULsYCKk6CO+

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

194.5.97.122:3394

194.5.97.122:3399

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
rich2021
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/3472-15-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3472-18-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3472-20-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	5ddc7639a86c6272811ef5b3cbf06a2c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 3472	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2964	schtasks.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2964	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	97
PID 2504 wrote to memory of 2964	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	97
PID 2504 wrote to memory of 2964	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	97
PID 2504 wrote to memory of 3472	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	99
PID 2504 wrote to memory of 3472	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	99
PID 2504 wrote to memory of 3472	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	99
PID 2504 wrote to memory of 3472	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	99
PID 2504 wrote to memory of 3472	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	99
PID 2504 wrote to memory of 3472	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	99
PID 2504 wrote to memory of 3472	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	99
PID 2504 wrote to memory of 3472	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	99
PID 2504 wrote to memory of 3472	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	99
PID 2504 wrote to memory of 3472	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	99
PID 2504 wrote to memory of 3472	2504	5ddc7639a86c6272811ef5b3cbf06a2c.exe	99

C:\Users\Admin\AppData\Local\Temp\5ddc7639a86c6272811ef5b3cbf06a2c.exe
"C:\Users\Admin\AppData\Local\Temp\5ddc7639a86c6272811ef5b3cbf06a2c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZiXsGio" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B22.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\5ddc7639a86c6272811ef5b3cbf06a2c.exe
  "{path}"
  2⤵
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2B22.tmp

Filesize
1KB

MD5
5a47f378833c9bc98fc45cba1f817972

SHA1
97835e393cdb7ce4a09f8e842342fba8338d535c

SHA256
022b91f49eea29cd30b5ab09cc67745bf7ee551a89463096f8dee299be67f484

SHA512
40a1594642c188db31f02a9a73218307d696fb0e9e1930783b79018c162079c5e0666ac5d2854e5388e87c3d519bd3b68919342a956d37045e8c071289bf4d1e

Download Submit
memory/2504-4-0x0000000007240000-0x00000000072DC000-memory.dmp

Filesize
624KB

Download
memory/2504-10-0x00000000024F0000-0x000000000257E000-memory.dmp

Filesize
568KB

Download
memory/2504-3-0x00000000071A0000-0x0000000007232000-memory.dmp

Filesize
584KB

Download
memory/2504-0-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/2504-5-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/2504-6-0x0000000007160000-0x000000000716A000-memory.dmp

Filesize
40KB

Download
memory/2504-2-0x00000000076B0000-0x0000000007C54000-memory.dmp

Filesize
5.6MB

Download
memory/2504-7-0x00000000076A0000-0x00000000076B4000-memory.dmp

Filesize
80KB

Download
memory/2504-9-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/2504-8-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/2504-11-0x0000000005EB0000-0x0000000005EF2000-memory.dmp

Filesize
264KB

Download
memory/2504-1-0x0000000000210000-0x0000000000298000-memory.dmp

Filesize
544KB

Download
memory/2504-19-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3472-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads