netwire | 1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841

General

Target

1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
Size

183KB
MD5

20ddd5396553be13fef4c8e6b2b481e9
SHA1

6b109b238c1245c7e81fe0b4a2e2859450e375b6
SHA256

1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841
SHA512

ecb41f267006bf879698376c91d9f5b07537a0cbee0240d631b931a5838376f38e86f6328e22c47520080918a72a397194e3c80f26bfb6496a2a7c9ebffc7d9a
SSDEEP

3072:m8Dsp+FNX1dFOvDlXJu545fL0MgJekMBdSSe/cIN7hIWaWk14FiFTFslv:m8dNXSE5QL0MglEtYcIZLtswlv

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

123.242.227.5:443

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
INTECHNGC-%Rand%
install_path
%AppData%\Eggs\ngcservices.exe
keylogger_dir
%AppData%\EggWriter\
lock_executable
false
mutex
PisPfLxv
offline_keylogger
true
password
letmein
registry_autorun
true
startup_name
EggProducts
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/4956-17-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/4956-19-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/4956-22-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/4932-57-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/4932-58-0x0000000000400000-0x000000000041F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 2 IoCs

pid	Process
652	ngcservices.exe
4932	ngcservices.exe

Loads dropped DLL 6 IoCs

pid	Process
4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
652	ngcservices.exe
652	ngcservices.exe
652	ngcservices.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EggProducts = "C:\\Users\\Admin\\AppData\\Roaming\\Eggs\\ngcservices.exe"	ngcservices.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4068 set thread context of 4956	4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	98
PID 652 set thread context of 4932	652	ngcservices.exe	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023503-26.dat	nsis_installer_1
behavioral2/files/0x0007000000023503-26.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 4956	4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	98
PID 4068 wrote to memory of 4956	4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	98
PID 4068 wrote to memory of 4956	4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	98
PID 4068 wrote to memory of 4956	4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	98
PID 4068 wrote to memory of 4956	4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	98
PID 4068 wrote to memory of 4956	4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	98
PID 4068 wrote to memory of 4956	4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	98
PID 4068 wrote to memory of 4956	4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	98
PID 4068 wrote to memory of 4956	4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	98
PID 4068 wrote to memory of 4956	4068	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	98
PID 4956 wrote to memory of 652	4956	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	103
PID 4956 wrote to memory of 652	4956	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	103
PID 4956 wrote to memory of 652	4956	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	103
PID 652 wrote to memory of 4932	652	ngcservices.exe	104
PID 652 wrote to memory of 4932	652	ngcservices.exe	104
PID 652 wrote to memory of 4932	652	ngcservices.exe	104
PID 652 wrote to memory of 4932	652	ngcservices.exe	104
PID 652 wrote to memory of 4932	652	ngcservices.exe	104
PID 652 wrote to memory of 4932	652	ngcservices.exe	104
PID 652 wrote to memory of 4932	652	ngcservices.exe	104
PID 652 wrote to memory of 4932	652	ngcservices.exe	104
PID 652 wrote to memory of 4932	652	ngcservices.exe	104
PID 652 wrote to memory of 4932	652	ngcservices.exe	104

C:\Users\Admin\AppData\Local\Temp\1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
"C:\Users\Admin\AppData\Local\Temp\1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
  "C:\Users\Admin\AppData\Local\Temp\1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe
    "C:\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe
      "C:\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,8447163055677043976,7218082390179600880,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc3E4D.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
C:\Users\Admin\AppData\Roaming\Cheapskate.w

Filesize
87KB

MD5
fef38c1c0a3effe29bfc26c0dd64b74f

SHA1
6cdb0e503864ec97c1ee19af93753fada14d2a95

SHA256
328c89ce136d8854118a67185beb572f23594efe5b9b25662200d85a46025bdf

SHA512
840dee3d9386e15e6c5d65d5b95f0211c1b9ad09bc96b234e533b5eca940d274a1261e7a3d7ab76f2913c048d21ab13503016edc1bf4b63972bd7890a915d078

Download Submit
C:\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe

Filesize
183KB

MD5
20ddd5396553be13fef4c8e6b2b481e9

SHA1
6b109b238c1245c7e81fe0b4a2e2859450e375b6

SHA256
1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841

SHA512
ecb41f267006bf879698376c91d9f5b07537a0cbee0240d631b931a5838376f38e86f6328e22c47520080918a72a397194e3c80f26bfb6496a2a7c9ebffc7d9a

Download Submit
C:\Users\Admin\AppData\Roaming\MiniHelp.zh.fb2

Filesize
15KB

MD5
ff51f2558cda28074348b0809886b211

SHA1
fb524eb846c2425f3bcd9896a1ef9034ad753cc0

SHA256
df637fcfedd33dbcd5bf6fa1066756790ee00d0e42753c37b657de59da2efca1

SHA512
d666e02ea6de7d90a602b9ef25a7340b80f4659d55d7c5ab9e392f12a10e51f07974db54713b30bba032657db61f8f705100e52542b0106ec3b462187af9cd61

Download Submit
C:\Users\Admin\AppData\Roaming\SFhelper.dll

Filesize
60KB

MD5
a2f3195a34dfb07900fc784a32a37d3f

SHA1
7e60c4ec6e1aece0de663f5ca614d22a77cc680b

SHA256
c0234f29167c2d0b6284dd3a32a0a6c1ab9bbd2f2475ccf5c3e758d4070835ea

SHA512
3aaaebdad04878af5a9692308b1ee7f91dd6682f9b046a23e803001bb6df5b87550a06c1c3b4be93169a582935859e3af0fce2947e01d56ead3bb204a9458c55

Download Submit
C:\Users\Admin\AppData\Roaming\ScarpFlatboat.JF5

Filesize
4KB

MD5
cd4c6f911730189826815faa544ec3fa

SHA1
fe43e22860e674cfb5391304af3fc852db49e9aa

SHA256
57748394920b5972b37fadb9090af83f973cd522c8adb64b92b0a64d5f1bad34

SHA512
b93f3e05cf3109e54bfc9a1afd48bec7a0d885fa8b3123749178a5ae597c5022dc8794a17a74a599b3506ba03a735a15af8c24ad73867a1885755f41e478194a

Download Submit
C:\Users\Admin\AppData\Roaming\filter.png

Filesize
130B

MD5
d2532067959bb2db3a6edc469af4f114

SHA1
ee5f8cfa30b8fd1ac0ed57af136d2fde00dbb70f

SHA256
a6e11c733726b32bfa967242c04b916bb4d4b31f1b3d348d8ef67c5a64be183c

SHA512
33a72efac30cb8d879cedb105651d1826452396b47827c12a0db8daa97ce12cd71533ef2c438ed28c80063f2666feff01ac3380c761f98cb4e495b2c39cdc759

Download Submit
C:\Users\Admin\AppData\Roaming\toolbar.xrc

Filesize
4KB

MD5
8a3e9e93dcb01d2714b267e1d5c488ca

SHA1
98bdc0332862ad9dc72379160f2232c0acb48548

SHA256
b257c1f7892873000414b5b556b6b13e757b2c8e2e7db271769af33204ddb959

SHA512
d38a075f7570ab245d15986f066b82e411ebc95477cdef1a0c9f1a2565c092d3c50ffbec2e7676215162eec10a5d5e4b77bcd617c071e3f55fb875fcb628e77d

Download Submit
memory/652-48-0x00000000021B0000-0x00000000021BF000-memory.dmp

Filesize
60KB

Download
memory/4068-14-0x0000000002700000-0x000000000270F000-memory.dmp

Filesize
60KB

Download
memory/4932-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4932-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4956-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4956-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4956-22-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads