netwire | 5226a12dc7f7b5e28732ad8b5ad6fa9a35eadfbeec122d798cd53c5ef73fe86a

General

Target

dbd37b8c044a27ec8008c6489231075f.exe
Size

359KB
MD5

dbd37b8c044a27ec8008c6489231075f
SHA1

cc5b97876fe9b09e2e0618a9f1a7c4dc1d78d129
SHA256

5226a12dc7f7b5e28732ad8b5ad6fa9a35eadfbeec122d798cd53c5ef73fe86a
SHA512

2ac7bc5b879ee7088e91120ef9b5b22d58b7be28f59960317524948e78417021cd13ba4701367e701e453cde84e64b29072643b6a183a203c506070a71d6d166
SSDEEP

6144:ZlfjLIs254Cz4FatkOAOqQxM3QLylFzk8x2dQ325Y/XDzQsFv:Z9jLIs25BrxM3+yHY84dQmGzz7F

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

66.154.103.106:13377

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
myphone
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2628-7-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2628-9-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2628-8-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2628-6-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2628-12-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2628-14-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Acrobat = "C:\\Users\\Admin\\AppData\\Local\\Adobe Acrobat.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1420 set thread context of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2896	2628	WerFault.exe	30

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1200	1420	dbd37b8c044a27ec8008c6489231075f.exe	28
PID 1420 wrote to memory of 1200	1420	dbd37b8c044a27ec8008c6489231075f.exe	28
PID 1420 wrote to memory of 1200	1420	dbd37b8c044a27ec8008c6489231075f.exe	28
PID 1420 wrote to memory of 1200	1420	dbd37b8c044a27ec8008c6489231075f.exe	28
PID 1200 wrote to memory of 2612	1200	cmd.exe	29
PID 1200 wrote to memory of 2612	1200	cmd.exe	29
PID 1200 wrote to memory of 2612	1200	cmd.exe	29
PID 1200 wrote to memory of 2612	1200	cmd.exe	29
PID 1420 wrote to memory of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30
PID 1420 wrote to memory of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30
PID 1420 wrote to memory of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30
PID 1420 wrote to memory of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30
PID 1420 wrote to memory of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30
PID 1420 wrote to memory of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30
PID 1420 wrote to memory of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30
PID 1420 wrote to memory of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30
PID 1420 wrote to memory of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30
PID 1420 wrote to memory of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30
PID 1420 wrote to memory of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30
PID 1420 wrote to memory of 2628	1420	dbd37b8c044a27ec8008c6489231075f.exe	30
PID 2628 wrote to memory of 2896	2628	dbd37b8c044a27ec8008c6489231075f.exe	31
PID 2628 wrote to memory of 2896	2628	dbd37b8c044a27ec8008c6489231075f.exe	31
PID 2628 wrote to memory of 2896	2628	dbd37b8c044a27ec8008c6489231075f.exe	31
PID 2628 wrote to memory of 2896	2628	dbd37b8c044a27ec8008c6489231075f.exe	31

C:\Users\Admin\AppData\Local\Temp\dbd37b8c044a27ec8008c6489231075f.exe
"C:\Users\Admin\AppData\Local\Temp\dbd37b8c044a27ec8008c6489231075f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\dbd37b8c044a27ec8008c6489231075f.exe" "C:\Users\%username%\AppData\Local\Adobe Acrobat.exe" & REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Acrobat" /t REG_SZ /F /D "C:\Users\%username%\AppData\Local\Adobe Acrobat.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Adobe Acrobat" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Adobe Acrobat.exe"
    3⤵
    - Adds Run key to start application
    PID:2612
- C:\Users\Admin\AppData\Local\Temp\dbd37b8c044a27ec8008c6489231075f.exe
  "C:\Users\Admin\AppData\Local\Temp\dbd37b8c044a27ec8008c6489231075f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 140
    3⤵
    - Program crash
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2628-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-3-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-2-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads