netwire | ba1f01fd0c66cd2d59dcbffa1d5b4387c4249921da221603cc4523e3a58dbbe5

Analysis

max time kernel
131s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/03/2024, 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1523e199fbefbec0bc01761b49f981d.exe
Size

2.6MB
MD5

d1523e199fbefbec0bc01761b49f981d
SHA1

121b2ffa4dc7eca9880d8dca8d5d0fdb6211eb4c
SHA256

ba1f01fd0c66cd2d59dcbffa1d5b4387c4249921da221603cc4523e3a58dbbe5
SHA512

5cf3ccc467f870f6c6b599e5bf4532e744a841f26dab9fd350f8691348939f7bef4f82fb172bfb3eede59a73e433d8b3db4f407df7cdcfdda027228de06eb40a
SSDEEP

49152:Fw80cTsjkWaPgHzoah04We95N5P7OEiF/ivu2BoUxPLPgPkWDSrt:y8sjkY7S4bjOLqv1BoUx0/+r

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

haija.mine.nu:1338

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
aegispirate
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
OOxTmvdD
offline_keylogger
true
password
qays1122
registry_autorun
true
startup_name
chrome
use_mutex
true

Signatures

NetWire RAT payload 10 IoCs

rat

resource	yara_rule
behavioral1/memory/2588-26-0x0000000000840000-0x0000000000874000-memory.dmp	netwire
behavioral1/memory/2588-28-0x00000000023B0000-0x00000000023E3000-memory.dmp	netwire
behavioral1/memory/2536-32-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2536-33-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2536-34-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2536-35-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2536-37-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2536-41-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2536-43-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2536-47-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

resource	yara_rule
behavioral1/memory/2588-26-0x0000000000840000-0x0000000000874000-memory.dmp	Core1

Executes dropped EXE 2 IoCs

pid	Process
2316	Patch.exe
2588	svchost32.exe

Loads dropped DLL 4 IoCs

pid	Process
2856	d1523e199fbefbec0bc01761b49f981d.exe
2856	d1523e199fbefbec0bc01761b49f981d.exe
2856	d1523e199fbefbec0bc01761b49f981d.exe
2856	d1523e199fbefbec0bc01761b49f981d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Windows\\SysWow64\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\firefox.exe"	svchost32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 2536	2588	svchost32.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2856	d1523e199fbefbec0bc01761b49f981d.exe
2856	d1523e199fbefbec0bc01761b49f981d.exe
2856	d1523e199fbefbec0bc01761b49f981d.exe
2856	d1523e199fbefbec0bc01761b49f981d.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2856	d1523e199fbefbec0bc01761b49f981d.exe
2856	d1523e199fbefbec0bc01761b49f981d.exe
2856	d1523e199fbefbec0bc01761b49f981d.exe
2856	d1523e199fbefbec0bc01761b49f981d.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2316	2856	d1523e199fbefbec0bc01761b49f981d.exe	28
PID 2856 wrote to memory of 2316	2856	d1523e199fbefbec0bc01761b49f981d.exe	28
PID 2856 wrote to memory of 2316	2856	d1523e199fbefbec0bc01761b49f981d.exe	28
PID 2856 wrote to memory of 2316	2856	d1523e199fbefbec0bc01761b49f981d.exe	28
PID 2856 wrote to memory of 2316	2856	d1523e199fbefbec0bc01761b49f981d.exe	28
PID 2856 wrote to memory of 2316	2856	d1523e199fbefbec0bc01761b49f981d.exe	28
PID 2856 wrote to memory of 2316	2856	d1523e199fbefbec0bc01761b49f981d.exe	28
PID 2856 wrote to memory of 2588	2856	d1523e199fbefbec0bc01761b49f981d.exe	29
PID 2856 wrote to memory of 2588	2856	d1523e199fbefbec0bc01761b49f981d.exe	29
PID 2856 wrote to memory of 2588	2856	d1523e199fbefbec0bc01761b49f981d.exe	29
PID 2856 wrote to memory of 2588	2856	d1523e199fbefbec0bc01761b49f981d.exe	29
PID 2588 wrote to memory of 2536	2588	svchost32.exe	30
PID 2588 wrote to memory of 2536	2588	svchost32.exe	30
PID 2588 wrote to memory of 2536	2588	svchost32.exe	30
PID 2588 wrote to memory of 2536	2588	svchost32.exe	30
PID 2588 wrote to memory of 2536	2588	svchost32.exe	30
PID 2588 wrote to memory of 2536	2588	svchost32.exe	30
PID 2588 wrote to memory of 2536	2588	svchost32.exe	30
PID 2588 wrote to memory of 2536	2588	svchost32.exe	30
PID 2588 wrote to memory of 2536	2588	svchost32.exe	30
PID 2588 wrote to memory of 2536	2588	svchost32.exe	30
PID 2588 wrote to memory of 2536	2588	svchost32.exe	30
PID 2588 wrote to memory of 2536	2588	svchost32.exe	30

C:\Users\Admin\AppData\Local\Temp\d1523e199fbefbec0bc01761b49f981d.exe
"C:\Users\Admin\AppData\Local\Temp\d1523e199fbefbec0bc01761b49f981d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\Patch.exe
  "C:\Users\Admin\AppData\Local\Temp\Patch.exe"
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\svchost32.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWow64\svchost.exe
    "C:\\Windows\\SysWow64\\svchost.exe"
    3⤵
    - Adds Run key to start application
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
252KB

MD5
5e82a20678200df6d28ba7327817d71c

SHA1
512e3ce2aa8759bc4af5e02666a5096b2bfb5013

SHA256
905a0885ec1d28c51fb949579b0d54968f04574c6dd2136d3433ce2cb72b0320

SHA512
94a6c66ad926cbad6a90349171d9de32e2c8605bf824f6768611b9bd17b097a8f8c6fc2b687503112224f0ff851010f4c3a7f6ddefcf0d52776afc2ee19ba40b

Download Submit
\Users\Admin\AppData\Local\Temp\Patch.exe

Filesize
1.0MB

MD5
d1283216ee4cb9d74a973f0b4830ef24

SHA1
c77011773862a9671aed52ac30fd9da1005b7d89

SHA256
d1aa5f2504839fc52dce7e10fa5239c39e8f36f3e091eaf5a4eaa86033f14fac

SHA512
551d89d13b0553cd88721a1aeaaf9158e30936176ebb403b401e7cee8b0e9bf1d6ca3d31dd0cf1cd81312999264bf10ddcb0d54b5449d955b984724696418b15

Download Submit
memory/2316-54-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-53-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-21-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/2316-57-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-56-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-55-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-59-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-58-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-52-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-51-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-50-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-49-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-48-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-46-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-45-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/2316-44-0x0000000000400000-0x00000000005EA000-memory.dmp

Filesize
1.9MB

Download
memory/2536-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-42-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-28-0x00000000023B0000-0x00000000023E3000-memory.dmp

Filesize
204KB

Download
memory/2588-27-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2588-26-0x0000000000840000-0x0000000000874000-memory.dmp

Filesize
208KB

Download
memory/2588-25-0x000000001BAA0000-0x000000001BB20000-memory.dmp

Filesize
512KB

Download
memory/2588-24-0x0000000000800000-0x0000000000834000-memory.dmp

Filesize
208KB

Download
memory/2588-23-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-22-0x000000013FEE0000-0x000000013FF22000-memory.dmp

Filesize
264KB

Download
memory/2856-12-0x0000000004B90000-0x0000000004D7A000-memory.dmp

Filesize
1.9MB

Download
memory/2856-4-0x0000000004B90000-0x0000000004D7A000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads