netwire | ca9febc756389fc99c2977236e8fca8b7787c11d8def8c2551ddd7fa73451b24

General

Target

SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
Size

1.3MB
MD5

ced3d9cf743d3b0f37bbd5bfef4e3e8b
SHA1

b0ae983b4971573ec25c993fb3c2ac2baeb0ba8b
SHA256

b2d0f86886d771c347e71081e9e46bfe8f4b533e6d354f9defd2c745741a6fa5
SHA512

49fc19909760f56331cf602fae889d854c22024ec837070dd642596e9fba8c3cf3f72c806874ed3c38092b29f3b74f0ec4a8d8b04cedda6547c9b4bd5663b4ac
SSDEEP

24576:EAHnh+eWsN3skA4RV1Hom2KXMmHabGAtm/2zPAHpjeCF85:Th+ZkldoPK8Ya/zYJa

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

lecanoffice.dynu.net:2202

Attributes

activex_autorun
true
activex_key
{5GNR66Y3-78Y4-PMYQ-E1H8-05IS5JYJRW17}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
lolkFUKd
offline_keylogger
true
password
gfffffytt
registry_autorun
true
startup_name
image
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2656-3-0x0000000000090000-0x00000000000BC000-memory.dmp	netwire
behavioral1/memory/2656-14-0x0000000000090000-0x00000000000BC000-memory.dmp	netwire
behavioral1/memory/112-42-0x0000000000090000-0x00000000000BC000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5GNR66Y3-78Y4-PMYQ-E1H8-05IS5JYJRW17}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5GNR66Y3-78Y4-PMYQ-E1H8-05IS5JYJRW17}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\appidapi.url	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\appidapi.url	Host.exe

Executes dropped EXE 2 IoCs

pid	Process
536	Host.exe
112	Host.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
536	Host.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\image = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000700000001565e-19.dat	autoit_exe
behavioral1/files/0x002d000000014b5b-45.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 2656	2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	31
PID 536 set thread context of 112	536	Host.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
536	Host.exe
536	Host.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
536	Host.exe
536	Host.exe
536	Host.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
536	Host.exe
536	Host.exe
536	Host.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2656	2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	31
PID 2688 wrote to memory of 2656	2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	31
PID 2688 wrote to memory of 2656	2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	31
PID 2688 wrote to memory of 2656	2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	31
PID 2688 wrote to memory of 2656	2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	31
PID 2688 wrote to memory of 2656	2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	31
PID 2688 wrote to memory of 2656	2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	31
PID 2688 wrote to memory of 2656	2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	31
PID 2688 wrote to memory of 2656	2688	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	31
PID 2656 wrote to memory of 536	2656	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	32
PID 2656 wrote to memory of 536	2656	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	32
PID 2656 wrote to memory of 536	2656	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	32
PID 2656 wrote to memory of 536	2656	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	32
PID 2656 wrote to memory of 536	2656	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	32
PID 2656 wrote to memory of 536	2656	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	32
PID 2656 wrote to memory of 536	2656	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	32
PID 536 wrote to memory of 112	536	Host.exe	33
PID 536 wrote to memory of 112	536	Host.exe	33
PID 536 wrote to memory of 112	536	Host.exe	33
PID 536 wrote to memory of 112	536	Host.exe	33
PID 536 wrote to memory of 112	536	Host.exe	33
PID 536 wrote to memory of 112	536	Host.exe	33
PID 536 wrote to memory of 112	536	Host.exe	33
PID 536 wrote to memory of 112	536	Host.exe	33
PID 536 wrote to memory of 112	536	Host.exe	33

C:\Users\Admin\AppData\Local\Temp\SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\appidapi.url

Filesize
70B

MD5
9d121cd74c4c6790e970564095103fbc

SHA1
237d5d1071133808b666bc3a2ff93702e30f66d7

SHA256
abc77eeeced8e42171568283785030c1872bd67d069ac9a6a8ad5775d0c51f66

SHA512
d8fc31beed5fadd4be3bd0de923be603e7423cd588d4de6cf772262adb339590d7a3241b7fdfead576c4020adbd3cdbf4ab2322570f8b67bebc321bb85b3f3b9

Download Submit
C:\Users\Admin\bootcfg\MuiUnattend.exe

Filesize
1.3MB

MD5
6bf280f49c3fa14685410d4c885aac3a

SHA1
065817cc359967ba4b82c69a23f26fc21757170b

SHA256
85a11bc738b33542a899986ca64ac0a15385947726c3a6ea1c311e13e20d4337

SHA512
ffa9513207f0be4ab52a898ded20ca59e0e4691ba97d288a2589b9b31811becbd1182c7ab0b7ca7dbf03b84381a27ea8aa792ddc92a710c0cc93864bcb16baaa

Download Submit
C:\Users\Admin\bootcfg\appidapi.vbs

Filesize
111B

MD5
9f9d5e8d2bdefd82a4056b060b276c70

SHA1
916a016b12b8214f2f1603eacf503dc9461b6bd3

SHA256
2c1b31043cf6adf3e2d9f96659f5c74db5029d288c430cbc976667048e01f40a

SHA512
f1c58fb7e5d3632d0f4af3ef0635dbfddcd7db9e30aae2e16bf545c6111eb14e10fdc22c6aeb50bc9b3a270fe2863123fa5ee90ec27776d7a78135b907d5c00a

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.3MB

MD5
ced3d9cf743d3b0f37bbd5bfef4e3e8b

SHA1
b0ae983b4971573ec25c993fb3c2ac2baeb0ba8b

SHA256
b2d0f86886d771c347e71081e9e46bfe8f4b533e6d354f9defd2c745741a6fa5

SHA512
49fc19909760f56331cf602fae889d854c22024ec837070dd642596e9fba8c3cf3f72c806874ed3c38092b29f3b74f0ec4a8d8b04cedda6547c9b4bd5663b4ac

Download Submit
memory/112-42-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/112-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2656-3-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/2656-14-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/2656-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2656-1-0x0000000000090000-0x00000000000BC000-memory.dmp

Filesize
176KB

Download
memory/2688-0-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads