netwire | 36acfd31af173ab9a7d9daf6dd7eaa29efc19cddd492847111f5cd0554db88b6

General

Target

b4cddfde06d2865b8a9159257a306956.exe
Size

1.1MB
MD5

b4cddfde06d2865b8a9159257a306956
SHA1

8442d322f8b3a4867a2e0b0a8bfdcb0d6f027b43
SHA256

36acfd31af173ab9a7d9daf6dd7eaa29efc19cddd492847111f5cd0554db88b6
SHA512

08531ce7812b1fad7d5009d7ce4eeb8eed9c10d877aaed45af75b8a7110c40041a3a984de9d0534ad5386279ab53ebfc4137850a6a64882d15194dd8992dcb0c
SSDEEP

24576:1AOcZuj86SEqPGdvf6AH7bxk9ilugRp3fO+veit:/h86SEn9fDIiluQzt

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

harold.ns01.info:3606

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Netwir
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
pHJVBoFH
offline_keylogger
true
password
master12
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2428-59-0x0000000000290000-0x00000000008F0000-memory.dmp	netwire
behavioral1/memory/2428-61-0x0000000000290000-0x00000000008F0000-memory.dmp	netwire
behavioral1/memory/2428-62-0x0000000000290000-0x00000000008F0000-memory.dmp	netwire
behavioral1/memory/2428-63-0x0000000000290000-0x00000000008F0000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
3008	xuaqp.pif

Loads dropped DLL 4 IoCs

pid	Process
2340	b4cddfde06d2865b8a9159257a306956.exe
2340	b4cddfde06d2865b8a9159257a306956.exe
2340	b4cddfde06d2865b8a9159257a306956.exe
2340	b4cddfde06d2865b8a9159257a306956.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\15602088\\xuaqp.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\15602088\\pkpnfx.fop"	xuaqp.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3008 set thread context of 2428	3008	xuaqp.pif	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3008	2340	b4cddfde06d2865b8a9159257a306956.exe	28
PID 2340 wrote to memory of 3008	2340	b4cddfde06d2865b8a9159257a306956.exe	28
PID 2340 wrote to memory of 3008	2340	b4cddfde06d2865b8a9159257a306956.exe	28
PID 2340 wrote to memory of 3008	2340	b4cddfde06d2865b8a9159257a306956.exe	28
PID 3008 wrote to memory of 2428	3008	xuaqp.pif	29
PID 3008 wrote to memory of 2428	3008	xuaqp.pif	29
PID 3008 wrote to memory of 2428	3008	xuaqp.pif	29
PID 3008 wrote to memory of 2428	3008	xuaqp.pif	29
PID 3008 wrote to memory of 2428	3008	xuaqp.pif	29
PID 3008 wrote to memory of 2428	3008	xuaqp.pif	29
PID 3008 wrote to memory of 2428	3008	xuaqp.pif	29
PID 3008 wrote to memory of 2428	3008	xuaqp.pif	29
PID 3008 wrote to memory of 2428	3008	xuaqp.pif	29

C:\Users\Admin\AppData\Local\Temp\b4cddfde06d2865b8a9159257a306956.exe
"C:\Users\Admin\AppData\Local\Temp\b4cddfde06d2865b8a9159257a306956.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\15602088\xuaqp.pif
  "C:\Users\Admin\AppData\Local\Temp\15602088\xuaqp.pif" pkpnfx.fop
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15602088\iibejfhbm.bin

Filesize
370KB

MD5
23d28497220185da16a6a79e7537c282

SHA1
d82b638888859281437fbf384309672e81f58acf

SHA256
9405a5ce0388637b629d5051701f0d2edbf470daca8ee62e0d6eb7aa2e319963

SHA512
a1e4e532b0b0b8318aa6f6131bddb1010adb0d3b4010a7d1a92f777e185df8c444ae1d1cd5b4565c5cb200660220ca1c7e902481e4b9b7acdc59112f6ad6faf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\15602088\pkpnfx.fop

Filesize
8.2MB

MD5
5e316fbb749299c2828f897e235c9dd0

SHA1
92f9eb53cb50ffa1176e5c61293a28bdedde0e7f

SHA256
85302326dfce567509def34ed88f4611027d0632ee0e2efdba537834d7df754a

SHA512
2463ba15c8c822c3464e503c8e0117cab7275d8899fb8e89ffae12dc27ced44a7601a3abda941f6bad391e7d8b9bf31975f2aa3cced240e39bab9c80b0192c68

Download Submit
\Users\Admin\AppData\Local\Temp\15602088\xuaqp.pif

Filesize
646KB

MD5
208b6eb9bd9304bb409265cb3c924da4

SHA1
f08040e503a022319bb2cccd39867629211568c9

SHA256
b6f7607ed1866b34da77cbf481b8da0156122565b04ba3d5678d1b9b50eb1e1e

SHA512
d79fb196beafeba5e578b6584d5f47583425a2a3b150f690a17f20a0860288f170c6ade94d6f76ed85e9e0259e3878ba1bf830283f36e20c9cf9d370597799c8

Download Submit
memory/2428-58-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2428-57-0x0000000000290000-0x00000000008F0000-memory.dmp

Filesize
6.4MB

Download
memory/2428-59-0x0000000000290000-0x00000000008F0000-memory.dmp

Filesize
6.4MB

Download
memory/2428-61-0x0000000000290000-0x00000000008F0000-memory.dmp

Filesize
6.4MB

Download
memory/2428-62-0x0000000000290000-0x00000000008F0000-memory.dmp

Filesize
6.4MB

Download
memory/2428-63-0x0000000000290000-0x00000000008F0000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads