netwire | 7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06

General

Target

SDA EMV Chip Writer By Paws.exe
Size

3.8MB
MD5

30ee6aaf50e4b4369e0a1634afbcd757
SHA1

b2ee5b9c07098a1058ae9778ad59396b8b8c9878
SHA256

7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06
SHA512

bec9661218c6fe09f7c048e4264def14815da93ab258209e3acc2e3e72b5f08aa6f6aea14c24973f2c0abbe3a54f1e820b3f712c8a0d8a8d474d6e19e4b73cec
SSDEEP

98304:tMryTmxddk6tVOfALLIVjnz25r/8XnveOZxho:vKxdBt84Ehur/82iPo

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

local.cable-modem.org:3361

teamviewer.ddns.net:3361

optic.cable-modem.org:3361

teamviewer.ddns.me:3361

logmein.loginto.me:3361

Attributes

activex_autorun
true
activex_key
{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB}
copy_executable
true
delete_original
false
host_id
BTC2020
install_path
%AppData%\instal\crhomeAT64bit.exe
keylogger_dir
%AppData%\0pera\metaolgs.dat\
lock_executable
false
mutex
NLBJEoGj
offline_keylogger
true
password
anjing
registry_autorun
true
startup_name
tvnserver
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/860-41-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/860-44-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/860-46-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/1952-60-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/1952-62-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/1952-64-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/1952-66-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/1952-68-0x0000000000400000-0x000000000041F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

crhomeAT64bit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB}	crhomeAT64bit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\instal\\crhomeAT64bit.exe\""	crhomeAT64bit.exe

Executes dropped EXE 5 IoCs

Processes:

Syssvctoolsx64bit.exeSdachipwriter.exeSyssvctoolsx64bit.execrhomeAT64bit.execrhomeAT64bit.exe

pid process

1368 Syssvctoolsx64bit.exe
3532 Sdachipwriter.exe
860 Syssvctoolsx64bit.exe
4504 crhomeAT64bit.exe
1952 crhomeAT64bit.exe

pid	process
1368	Syssvctoolsx64bit.exe
3532	Sdachipwriter.exe
860	Syssvctoolsx64bit.exe
4504	crhomeAT64bit.exe
1952	crhomeAT64bit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

crhomeAT64bit.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\tvnserver = "C:\\Users\\Admin\\AppData\\Roaming\\instal\\crhomeAT64bit.exe"	crhomeAT64bit.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Syssvctoolsx64bit.execrhomeAT64bit.exe

description	pid	process	target process
PID 1368 set thread context of 860	1368	Syssvctoolsx64bit.exe	Syssvctoolsx64bit.exe
PID 4504 set thread context of 1952	4504	crhomeAT64bit.exe	crhomeAT64bit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Syssvctoolsx64bit.exeSdachipwriter.exeSyssvctoolsx64bit.execrhomeAT64bit.execrhomeAT64bit.exeSDA EMV Chip Writer By Paws.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Syssvctoolsx64bit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sdachipwriter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Syssvctoolsx64bit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crhomeAT64bit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crhomeAT64bit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SDA EMV Chip Writer By Paws.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Sdachipwriter.exe

pid process

3532 Sdachipwriter.exe

pid	process
3532	Sdachipwriter.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

SDA EMV Chip Writer By Paws.exeSyssvctoolsx64bit.exeSyssvctoolsx64bit.execrhomeAT64bit.exe

description	pid	process	target process
PID 248 wrote to memory of 1368	248	SDA EMV Chip Writer By Paws.exe	Syssvctoolsx64bit.exe
PID 248 wrote to memory of 1368	248	SDA EMV Chip Writer By Paws.exe	Syssvctoolsx64bit.exe
PID 248 wrote to memory of 1368	248	SDA EMV Chip Writer By Paws.exe	Syssvctoolsx64bit.exe
PID 248 wrote to memory of 3532	248	SDA EMV Chip Writer By Paws.exe	Sdachipwriter.exe
PID 248 wrote to memory of 3532	248	SDA EMV Chip Writer By Paws.exe	Sdachipwriter.exe
PID 248 wrote to memory of 3532	248	SDA EMV Chip Writer By Paws.exe	Sdachipwriter.exe
PID 1368 wrote to memory of 860	1368	Syssvctoolsx64bit.exe	Syssvctoolsx64bit.exe
PID 1368 wrote to memory of 860	1368	Syssvctoolsx64bit.exe	Syssvctoolsx64bit.exe
PID 1368 wrote to memory of 860	1368	Syssvctoolsx64bit.exe	Syssvctoolsx64bit.exe
PID 1368 wrote to memory of 860	1368	Syssvctoolsx64bit.exe	Syssvctoolsx64bit.exe
PID 1368 wrote to memory of 860	1368	Syssvctoolsx64bit.exe	Syssvctoolsx64bit.exe
PID 860 wrote to memory of 4504	860	Syssvctoolsx64bit.exe	crhomeAT64bit.exe
PID 860 wrote to memory of 4504	860	Syssvctoolsx64bit.exe	crhomeAT64bit.exe
PID 860 wrote to memory of 4504	860	Syssvctoolsx64bit.exe	crhomeAT64bit.exe
PID 4504 wrote to memory of 1952	4504	crhomeAT64bit.exe	crhomeAT64bit.exe
PID 4504 wrote to memory of 1952	4504	crhomeAT64bit.exe	crhomeAT64bit.exe
PID 4504 wrote to memory of 1952	4504	crhomeAT64bit.exe	crhomeAT64bit.exe
PID 4504 wrote to memory of 1952	4504	crhomeAT64bit.exe	crhomeAT64bit.exe
PID 4504 wrote to memory of 1952	4504	crhomeAT64bit.exe	crhomeAT64bit.exe

C:\Users\Admin\AppData\Local\Temp\SDA EMV Chip Writer By Paws.exe
"C:\Users\Admin\AppData\Local\Temp\SDA EMV Chip Writer By Paws.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:248
- C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
  C:\Users\Admin\AppData\Roaming/Syssvctoolsx64bit.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe
    "C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
      "C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe
        
        "C:\Users\Admin\AppData\Roaming\instal\crhomeAT64bit.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1952
- C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe
  C:\Users\Admin\AppData\Local\Temp/Sdachipwriter.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sdachipwriter.exe

Filesize
4.9MB

MD5
0828480f98adb533104d42ad42601f80

SHA1
5528665c1e94ec7738174058196d3c818c64241e

SHA256
1ecfd3755eba578108363c0705c6ec205972080739ed0fbd17439f8139ba7e08

SHA512
c8e87296d06a1cc032dbc78828413c6d1636d506e859f8f5545a0164b73d0d32d7ed7b046aa8108dacd8299b6a587733d870fb45d3e03666e75bc45a4bb3bc65

Download Submit
C:\Users\Admin\AppData\Roaming\Syssvctoolsx64bit.exe

Filesize
753KB

MD5
c57711ed5ac9003f30be5d81c0b8ddc1

SHA1
f7e14ebd419f4c6c3ba269e1fb6ff765adc5d8b9

SHA256
ec94ffbda11b4f750ea732a9986b6dd60d4c87978f810f27336abf4ee178bc03

SHA512
2f000b930b6481a2cf4842a1dc04e7a99fb25c29fc21e221fddd7e3bfa299e69a5890dbfc8200cf5cb1191726697bf39e400810f4ee415206f95a6ab24905466

Download Submit
memory/860-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/860-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3532-53-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3532-52-0x0000000000400000-0x0000000000972000-memory.dmp

Filesize
5.4MB

Download
memory/3532-16-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads