netwire | ca9febc756389fc99c2977236e8fca8b7787c11d8def8c2551ddd7fa73451b24

General

Target

SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
Size

1.3MB
MD5

ced3d9cf743d3b0f37bbd5bfef4e3e8b
SHA1

b0ae983b4971573ec25c993fb3c2ac2baeb0ba8b
SHA256

b2d0f86886d771c347e71081e9e46bfe8f4b533e6d354f9defd2c745741a6fa5
SHA512

49fc19909760f56331cf602fae889d854c22024ec837070dd642596e9fba8c3cf3f72c806874ed3c38092b29f3b74f0ec4a8d8b04cedda6547c9b4bd5663b4ac
SSDEEP

24576:EAHnh+eWsN3skA4RV1Hom2KXMmHabGAtm/2zPAHpjeCF85:Th+ZkldoPK8Ya/zYJa

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

lecanoffice.dynu.net:2202

Attributes

activex_autorun
true
activex_key
{5GNR66Y3-78Y4-PMYQ-E1H8-05IS5JYJRW17}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
lolkFUKd
offline_keylogger
true
password
gfffffytt
registry_autorun
true
startup_name
image
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3964-1-0x0000000000540000-0x000000000056C000-memory.dmp	netwire
behavioral2/memory/3964-13-0x0000000000540000-0x000000000056C000-memory.dmp	netwire
behavioral2/memory/4608-18-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4608-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5GNR66Y3-78Y4-PMYQ-E1H8-05IS5JYJRW17}	Host.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5GNR66Y3-78Y4-PMYQ-E1H8-05IS5JYJRW17}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe\""	Host.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\appidapi.url	Host.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\appidapi.url	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe

Executes dropped EXE 2 IoCs

pid	Process
1140	Host.exe
4608	Host.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\image = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002350d-16.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 444 set thread context of 3964	444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	97
PID 1140 set thread context of 4608	1140	Host.exe	108

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
1140	Host.exe
1140	Host.exe
1140	Host.exe
1140	Host.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
1140	Host.exe
1140	Host.exe
1140	Host.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
1140	Host.exe
1140	Host.exe
1140	Host.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 444 wrote to memory of 3964	444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	97
PID 444 wrote to memory of 3964	444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	97
PID 444 wrote to memory of 3964	444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	97
PID 444 wrote to memory of 3964	444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	97
PID 444 wrote to memory of 3964	444	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	97
PID 3964 wrote to memory of 1140	3964	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	98
PID 3964 wrote to memory of 1140	3964	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	98
PID 3964 wrote to memory of 1140	3964	SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe	98
PID 1140 wrote to memory of 4608	1140	Host.exe	108
PID 1140 wrote to memory of 4608	1140	Host.exe	108
PID 1140 wrote to memory of 4608	1140	Host.exe	108
PID 1140 wrote to memory of 4608	1140	Host.exe	108
PID 1140 wrote to memory of 4608	1140	Host.exe	108

C:\Users\Admin\AppData\Local\Temp\SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:444
- C:\Users\Admin\AppData\Local\Temp\SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe
  "C:\Users\Admin\AppData\Local\Temp\SWIFT_LloydsBankTsb_FobShenzen00481_PDF.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.3MB

MD5
ced3d9cf743d3b0f37bbd5bfef4e3e8b

SHA1
b0ae983b4971573ec25c993fb3c2ac2baeb0ba8b

SHA256
b2d0f86886d771c347e71081e9e46bfe8f4b533e6d354f9defd2c745741a6fa5

SHA512
49fc19909760f56331cf602fae889d854c22024ec837070dd642596e9fba8c3cf3f72c806874ed3c38092b29f3b74f0ec4a8d8b04cedda6547c9b4bd5663b4ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\appidapi.url

Filesize
70B

MD5
9d121cd74c4c6790e970564095103fbc

SHA1
237d5d1071133808b666bc3a2ff93702e30f66d7

SHA256
abc77eeeced8e42171568283785030c1872bd67d069ac9a6a8ad5775d0c51f66

SHA512
d8fc31beed5fadd4be3bd0de923be603e7423cd588d4de6cf772262adb339590d7a3241b7fdfead576c4020adbd3cdbf4ab2322570f8b67bebc321bb85b3f3b9

Download Submit
C:\Users\Admin\bootcfg\appidapi.vbs

Filesize
111B

MD5
9f9d5e8d2bdefd82a4056b060b276c70

SHA1
916a016b12b8214f2f1603eacf503dc9461b6bd3

SHA256
2c1b31043cf6adf3e2d9f96659f5c74db5029d288c430cbc976667048e01f40a

SHA512
f1c58fb7e5d3632d0f4af3ef0635dbfddcd7db9e30aae2e16bf545c6111eb14e10fdc22c6aeb50bc9b3a270fe2863123fa5ee90ec27776d7a78135b907d5c00a

Download Submit
memory/444-0-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/3964-1-0x0000000000540000-0x000000000056C000-memory.dmp

Filesize
176KB

Download
memory/3964-13-0x0000000000540000-0x000000000056C000-memory.dmp

Filesize
176KB

Download
memory/4608-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4608-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads