netwire | 51ffc7a0d345b5b01709f51fb8e6c3dd178fb89adccd7a3aad8cb0d6584f320d

Analysis

max time kernel
143s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Eurobelt RFQ 203345_20200626100122637_PDF.exe
Size

566KB
MD5

e84685ec0b33fb56abead1aaf166b8ad
SHA1

ea3d03757c1d1c053abe433a28fedc48eb28a6a1
SHA256

e6db6d5f9019bdefffc749264a267c1927dcf5eba5a7ea3dfb10db457b6b2a16
SHA512

49285b13846735cc76d7cd9c2af1e33156c7bcb90ada17e95dadb1b28c86086287813c90bc20640876035de180487622a40b85b96196faefb28bd256eebf578a
SSDEEP

12288:9crNS33L10QdrXP/X+tGfnF2gqm1BRNWXlLslygCoPk6iS:ANA3R5drXPrfF11nNW1LslygH

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

sydor.tjsosda.com:5563

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
FRESH
install_path
%AppData%\Install\msc0nfig.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Qx7cUxUUgS
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/files/0x0009000000019258-49.dat	netwire
behavioral1/memory/1564-61-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1964-85-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/692-86-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 6 IoCs

pid	Process
2436	avdisable.exe
2912	fret.sfx.exe
1564	fret.exe
1964	msc0nfig.exe
2608	fret.sfx.exe
692	fret.exe

Loads dropped DLL 17 IoCs

pid	Process
2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe
2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe
2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe
2772	cmd.exe
2912	fret.sfx.exe
2912	fret.sfx.exe
2912	fret.sfx.exe
2912	fret.sfx.exe
1564	fret.exe
1564	fret.exe
2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe
2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe
2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe
2608	fret.sfx.exe
2608	fret.sfx.exe
2608	fret.sfx.exe
2608	fret.sfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fret.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fret.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fret.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eurobelt RFQ 203345_20200626100122637_PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avdisable.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2436	2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe	31
PID 2352 wrote to memory of 2436	2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe	31
PID 2352 wrote to memory of 2436	2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe	31
PID 2352 wrote to memory of 2436	2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe	31
PID 2436 wrote to memory of 2732	2436	avdisable.exe	33
PID 2436 wrote to memory of 2732	2436	avdisable.exe	33
PID 2436 wrote to memory of 2732	2436	avdisable.exe	33
PID 2436 wrote to memory of 2732	2436	avdisable.exe	33
PID 2732 wrote to memory of 2736	2732	cmd.exe	34
PID 2732 wrote to memory of 2736	2732	cmd.exe	34
PID 2732 wrote to memory of 2736	2732	cmd.exe	34
PID 2352 wrote to memory of 2772	2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe	35
PID 2352 wrote to memory of 2772	2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe	35
PID 2352 wrote to memory of 2772	2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe	35
PID 2352 wrote to memory of 2772	2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe	35
PID 2772 wrote to memory of 2912	2772	cmd.exe	37
PID 2772 wrote to memory of 2912	2772	cmd.exe	37
PID 2772 wrote to memory of 2912	2772	cmd.exe	37
PID 2772 wrote to memory of 2912	2772	cmd.exe	37
PID 2912 wrote to memory of 1564	2912	fret.sfx.exe	38
PID 2912 wrote to memory of 1564	2912	fret.sfx.exe	38
PID 2912 wrote to memory of 1564	2912	fret.sfx.exe	38
PID 2912 wrote to memory of 1564	2912	fret.sfx.exe	38
PID 1564 wrote to memory of 1964	1564	fret.exe	39
PID 1564 wrote to memory of 1964	1564	fret.exe	39
PID 1564 wrote to memory of 1964	1564	fret.exe	39
PID 1564 wrote to memory of 1964	1564	fret.exe	39
PID 2352 wrote to memory of 2608	2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe	40
PID 2352 wrote to memory of 2608	2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe	40
PID 2352 wrote to memory of 2608	2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe	40
PID 2352 wrote to memory of 2608	2352	Eurobelt RFQ 203345_20200626100122637_PDF.exe	40
PID 2608 wrote to memory of 692	2608	fret.sfx.exe	41
PID 2608 wrote to memory of 692	2608	fret.sfx.exe	41
PID 2608 wrote to memory of 692	2608	fret.sfx.exe	41
PID 2608 wrote to memory of 692	2608	fret.sfx.exe	41

C:\Users\Admin\AppData\Local\Temp\Eurobelt RFQ 203345_20200626100122637_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Eurobelt RFQ 203345_20200626100122637_PDF.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DF09.tmp\DF0A.tmp\DF0B.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f
      4⤵
      PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\fret.sfx.exe
    fret.sfx.exe -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\fret.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\fret.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Users\Admin\AppData\Roaming\Install\msc0nfig.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\msc0nfig.exe"
        5⤵
        Executes dropped EXE
        
        PID:1964
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\fret.sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\fret.sfx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\fret.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\fret.exe"
    3⤵
    - Executes dropped EXE
    PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DF09.tmp\DF0A.tmp\DF0B.bat

Filesize
130B

MD5
78cf128c2c0b024aa9075d038f32c0f9

SHA1
ea941836117cb9f6d87a010806bbd5df58bd938a

SHA256
bc357caf1b6e8b12c5e257beaa3fe82a7b9ec2f982796ab699c86f8915e72d7e

SHA512
d523de37449552b99177cc3b510f068b2b2eeb1f30309d9e99320638e25e842df61357ae031cd2662c43e76c612ed2067e7c6319bf9e2e932793f0d5ee819c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\avdisable.exe

Filesize
88KB

MD5
0c73e1dccd5e52ce5abb544b3c7f1f7a

SHA1
b283d5eefb8626c178467ff38aca9afc3e589343

SHA256
dd7413dd067439dd10afb0b9a2c76c5e30b8aba5413571a31c14d5589adf6909

SHA512
9181f32a9648ddf44d02881e4dc11269bb841f3d571b78ef2cb1652d53e355d733d70624ab9fdad06c9a270dee49d30170028e283f93bbf7c82926e3cecf2252

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\opener.bat

Filesize
21B

MD5
14b6aa67bff27f67b794fd6581847781

SHA1
44d29ece8a05f7d46e4f31b1390dae67634f2bcc

SHA256
7418deba23971c4b160b5287633c173753becf26228f7d32e9c7cfc83502ae3f

SHA512
bac47e9f9f33664c2659029d12efc35508d0ce48b10bd60fbef16b87a7f727da92c2168f784411fca2d1bcabe9c8aafc65195843bdb63a59c2bd4fa0c604c45a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\fret.sfx.exe

Filesize
367KB

MD5
e511271bfd8344f13575c80d692ae02c

SHA1
3f75cb43fc93f216d24d95adcac17863000edff6

SHA256
552b6b86bf389ad37b7103930bf4b44fd3f57c2925af4b007c76dcb2e666008b

SHA512
c363063a462338b7f75b08ce35fa304e78178a5a6c816d4b938617fffb4da179ef4014c660db841dc71cbd0d1a96c6efd449e3d2598bf449c55a4fc85cf01768

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\fret.exe

Filesize
160KB

MD5
83e843be7858928a362bfd46b01b9dbd

SHA1
d8a0d091e7532961fcae6d1c466ce3ba4d34bb84

SHA256
57b59b6ff8c0140cda1b6b5f606effcc97411ab4663bf95cdc0b0f3511cbddab

SHA512
9fdce213e2fef8e7480f2f53adf7ff489910532a0bd91a9948d8ddedfbf27afdf8c1c4cb881c3585fdb7146a8095deed32b5d65498d38f913ee019f511e4d598

Download Submit
memory/692-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1564-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download