netwire | 43172b4c057c13284ff9409e7e9602403dc91c6eb7702a1e653fd26213ad462f

General

Target

a6d4e39429984f7a4d39a08e662cd0c9.exe
Size

531KB
MD5

a6d4e39429984f7a4d39a08e662cd0c9
SHA1

af1bcd0ef9d01b633bbb5136f0a3763465c968fe
SHA256

43172b4c057c13284ff9409e7e9602403dc91c6eb7702a1e653fd26213ad462f
SHA512

96b5629c72f90e9267372e46e189926d268598c7bad4af465c5eb3727d4e0b235ff8a0d5098f90ebf3af8612f738024a4ede6fab361da14adb97643fe026cebc
SSDEEP

12288:Blp+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvXOr8rR+XcExv:AluWQ

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

193.23.127.96:5004

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
BILLAZ
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2716-13-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2716-16-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2716-18-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2716-19-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	a6d4e39429984f7a4d39a08e662cd0c9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 976 set thread context of 2716	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2032	schtasks.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 2032	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	94
PID 976 wrote to memory of 2032	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	94
PID 976 wrote to memory of 2032	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	94
PID 976 wrote to memory of 2716	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	96
PID 976 wrote to memory of 2716	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	96
PID 976 wrote to memory of 2716	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	96
PID 976 wrote to memory of 2716	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	96
PID 976 wrote to memory of 2716	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	96
PID 976 wrote to memory of 2716	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	96
PID 976 wrote to memory of 2716	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	96
PID 976 wrote to memory of 2716	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	96
PID 976 wrote to memory of 2716	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	96
PID 976 wrote to memory of 2716	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	96
PID 976 wrote to memory of 2716	976	a6d4e39429984f7a4d39a08e662cd0c9.exe	96

C:\Users\Admin\AppData\Local\Temp\a6d4e39429984f7a4d39a08e662cd0c9.exe
"C:\Users\Admin\AppData\Local\Temp\a6d4e39429984f7a4d39a08e662cd0c9.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oFiPVbtF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC1F8.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\a6d4e39429984f7a4d39a08e662cd0c9.exe
  "{path}"
  2⤵
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC1F8.tmp

Filesize
1KB

MD5
916f4c90b184654da5feeac490e8f0a8

SHA1
bff0365b9f2d627c4c10393d1f7379a9c085bd49

SHA256
fe864a71d2345aad315160d2be9d9589d4519569fa727a4f1c5a0fadadab4577

SHA512
a8130638ec1b5e75d8f2ea72b5565af44706e33ae483ebbcd6ba5ef04383e340a18d7be99d808d7c8686fb33cd4411caf09dcac451ee06ad7114008a6280d3a2

Download Submit
memory/976-8-0x00000000053E0000-0x0000000005470000-memory.dmp

Filesize
576KB

Download
memory/976-0-0x0000000000060000-0x00000000000EA000-memory.dmp

Filesize
552KB

Download
memory/976-3-0x0000000004A90000-0x0000000004A98000-memory.dmp

Filesize
32KB

Download
memory/976-4-0x0000000004CD0000-0x0000000004D62000-memory.dmp

Filesize
584KB

Download
memory/976-5-0x0000000004D70000-0x0000000004E0C000-memory.dmp

Filesize
624KB

Download
memory/976-6-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/976-2-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/976-17-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/976-7-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/976-1-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/976-9-0x0000000007930000-0x0000000007978000-memory.dmp

Filesize
288KB

Download
memory/2716-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads