netwire | 7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06

General

Target

SDAEMVChipWriterByPaws.exe
Size

3.8MB
MD5

30ee6aaf50e4b4369e0a1634afbcd757
SHA1

b2ee5b9c07098a1058ae9778ad59396b8b8c9878
SHA256

7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06
SHA512

bec9661218c6fe09f7c048e4264def14815da93ab258209e3acc2e3e72b5f08aa6f6aea14c24973f2c0abbe3a54f1e820b3f712c8a0d8a8d474d6e19e4b73cec
SSDEEP

98304:tMryTmxddk6tVOfALLIVjnz25r/8XnveOZxho:vKxdBt84Ehur/82iPo

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

local.cable-modem.org:3361

teamviewer.ddns.net:3361

optic.cable-modem.org:3361

teamviewer.ddns.me:3361

logmein.loginto.me:3361

Attributes

activex_autorun
true
activex_key
{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB}
copy_executable
true
delete_original
false
host_id
BTC2020
install_path
%AppData%\instal\crhomeAT64bit.exe
keylogger_dir
%AppData%\0pera\metaolgs.dat\
lock_executable
false
mutex
NLBJEoGj
offline_keylogger
true
password
anjing
registry_autorun
true
startup_name
tvnserver
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

resource	yara_rule
behavioral2/memory/3652-41-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/3652-44-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/3652-51-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/1300-60-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/1300-62-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/1300-64-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/1300-66-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/1300-68-0x0000000000400000-0x000000000041F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\instal\\crhomeAT64bit.exe\""	crhomeAT64bit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB}	crhomeAT64bit.exe

Executes dropped EXE 5 IoCs

pid	Process
4032	Syssvctoolsx64bit.exe
1468	Sdachipwriter.exe
3652	Syssvctoolsx64bit.exe
5040	crhomeAT64bit.exe
1300	crhomeAT64bit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tvnserver = "C:\\Users\\Admin\\AppData\\Roaming\\instal\\crhomeAT64bit.exe"	crhomeAT64bit.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023c85-6.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4032 set thread context of 3652	4032	Syssvctoolsx64bit.exe	94
PID 5040 set thread context of 1300	5040	crhomeAT64bit.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Syssvctoolsx64bit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sdachipwriter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Syssvctoolsx64bit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crhomeAT64bit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crhomeAT64bit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SDAEMVChipWriterByPaws.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1468	Sdachipwriter.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 4032	2792	SDAEMVChipWriterByPaws.exe	84
PID 2792 wrote to memory of 4032	2792	SDAEMVChipWriterByPaws.exe	84
PID 2792 wrote to memory of 4032	2792	SDAEMVChipWriterByPaws.exe	84
PID 2792 wrote to memory of 1468	2792	SDAEMVChipWriterByPaws.exe	86
PID 2792 wrote to memory of 1468	2792	SDAEMVChipWriterByPaws.exe	86
PID 2792 wrote to memory of 1468	2792	SDAEMVChipWriterByPaws.exe	86
PID 4032 wrote to memory of 3652	4032	Syssvctoolsx64bit.exe	94
PID 4032 wrote to memory of 3652	4032	Syssvctoolsx64bit.exe	94
PID 4032 wrote to memory of 3652	4032	Syssvctoolsx64bit.exe	94
PID 4032 wrote to memory of 3652	4032	Syssvctoolsx64bit.exe	94
PID 4032 wrote to memory of 3652	4032	Syssvctoolsx64bit.exe	94
PID 3652 wrote to memory of 5040	3652	Syssvctoolsx64bit.exe	95
PID 3652 wrote to memory of 5040	3652	Syssvctoolsx64bit.exe	95
PID 3652 wrote to memory of 5040	3652	Syssvctoolsx64bit.exe	95
PID 5040 wrote to memory of 1300	5040	crhomeAT64bit.exe	98
PID 5040 wrote to memory of 1300	5040	crhomeAT64bit.exe	98
PID 5040 wrote to memory of 1300	5040	crhomeAT64bit.exe	98
PID 5040 wrote to memory of 1300	5040	crhomeAT64bit.exe	98
PID 5040 wrote to memory of 1300	5040	crhomeAT64bit.exe	98

C:\Users\Admin\AppData\Local\Temp\SDAEMVChipWriterByPaws.exe
"C:\Users\Admin\AppData\Local\Temp\SDAEMVChipWriterByPaws.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
  C:\Users\Admin\AppData\Roaming/Syssvctoolsx64bit.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
    "C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
      "C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
        
        "C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1300
- C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe
  C:\Users\Admin\AppData\Local\Temp/Sdachipwriter.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe

Filesize
4.9MB

MD5
0828480f98adb533104d42ad42601f80

SHA1
5528665c1e94ec7738174058196d3c818c64241e

SHA256
1ecfd3755eba578108363c0705c6ec205972080739ed0fbd17439f8139ba7e08

SHA512
c8e87296d06a1cc032dbc78828413c6d1636d506e859f8f5545a0164b73d0d32d7ed7b046aa8108dacd8299b6a587733d870fb45d3e03666e75bc45a4bb3bc65

Download Submit
C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe

Filesize
753KB

MD5
c57711ed5ac9003f30be5d81c0b8ddc1

SHA1
f7e14ebd419f4c6c3ba269e1fb6ff765adc5d8b9

SHA256
ec94ffbda11b4f750ea732a9986b6dd60d4c87978f810f27336abf4ee178bc03

SHA512
2f000b930b6481a2cf4842a1dc04e7a99fb25c29fc21e221fddd7e3bfa299e69a5890dbfc8200cf5cb1191726697bf39e400810f4ee415206f95a6ab24905466

Download Submit
memory/1300-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1300-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1300-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1300-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1300-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1468-53-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1468-52-0x0000000000400000-0x0000000000972000-memory.dmp

Filesize
5.4MB

Download
memory/1468-16-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/3652-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3652-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3652-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads