netwire | 44b0198f89b06283a6383adf6b581efe1f28c948b099c0d9cdab9f9068a3c8db

General

Target

Setup.exe
Size

2.5MB
MD5

567d3e1a12c51c3fdeeabd8190c121f2
SHA1

c3b3f202e44fd79f08409dd9c36307d4a4fcff1e
SHA256

44b0198f89b06283a6383adf6b581efe1f28c948b099c0d9cdab9f9068a3c8db
SHA512

7d0964f0dd322ee2fd3085a4dcec495197726a8a819e19c2651b72994774cf3d475d46cecc12dc336bed34902d0475e0e20b2596012387351c785719be8a98b8
SSDEEP

3072:FpWz3jKwH4GW9zubqCuhEFT6PwDCLq9jg7/XjA28HKSXPKHSEVKjIyDG4QXeaAs:zW

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

r00tshit.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/3004-17-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/3004-19-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/3004-22-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 1 IoCs

pid	Process
4144	egHpQulVHBME.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avas64 = "C:\\Users\\Admin\\avas64.exe"	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 808 set thread context of 3004	808	Setup.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	egHpQulVHBME.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 4144	808	Setup.exe	87
PID 808 wrote to memory of 4144	808	Setup.exe	87
PID 808 wrote to memory of 4144	808	Setup.exe	87
PID 808 wrote to memory of 3004	808	Setup.exe	88
PID 808 wrote to memory of 3004	808	Setup.exe	88
PID 808 wrote to memory of 3004	808	Setup.exe	88
PID 808 wrote to memory of 3004	808	Setup.exe	88
PID 808 wrote to memory of 3004	808	Setup.exe	88
PID 808 wrote to memory of 3004	808	Setup.exe	88
PID 808 wrote to memory of 3004	808	Setup.exe	88
PID 808 wrote to memory of 3004	808	Setup.exe	88
PID 808 wrote to memory of 3004	808	Setup.exe	88
PID 808 wrote to memory of 3004	808	Setup.exe	88

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Roaming\egHpQulVHBME.exe
  "C:\Users\Admin\AppData\Roaming\egHpQulVHBME.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\egHpQulVHBME.exe

Filesize
419KB

MD5
6453b1d831cc4b4708476dd82d352255

SHA1
79c7dcb41cf90460b3fb7be106df930875a8226a

SHA256
5468963e71c183162cb01be461b777023968cefb9974e848e5fccf28bbce0a17

SHA512
6e4315b042029d0a487bc1868d0ae7e3341605eada16d2ed0e0257a28be7c609cf7dfc63d245505d2abfa73c05b0cd1ef84b0a0d5b3b63f0bd28fd59f99dadc5

Download Submit
memory/808-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/808-1-0x00000000004A0000-0x0000000000728000-memory.dmp

Filesize
2.5MB

Download
memory/808-2-0x0000000004F60000-0x0000000005002000-memory.dmp

Filesize
648KB

Download
memory/808-3-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/808-4-0x0000000005000000-0x0000000005014000-memory.dmp

Filesize
80KB

Download
memory/808-16-0x00000000051F0000-0x000000000528C000-memory.dmp

Filesize
624KB

Download
memory/808-21-0x00000000748E0000-0x0000000075090000-memory.dmp

Filesize
7.7MB

Download
memory/3004-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3004-19-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3004-22-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads