netwire | 2f49ad5cc742acfa2fd05a49012c9a78597bf02b10a2fa890864aefba2efab22

General

Target

bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe
Size

82KB
MD5

a4a8a89ce20e6f60d67140336e0a53cc
SHA1

f8dd44e59ac4592637ceb48a386ecb7cb53b3d42
SHA256

bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df
SHA512

2da47070fb9c39d09e6b9c706d4c85d5eb3928cbfb6271856068a30aacb8b9dd6df6e0680f59e5c2c03f2ff1a3d680d8ccafccebc8337c6763e0907918b27503
SSDEEP

1536:ORC2p2bHgBjEAKsQHzIRiuoSL6EWCOSSUnEy9ZjBiVcUvnZjgf2c:O8bAuAfuIlHGEXTUqAcUBUuc

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

nwire733.duckdns.org:7920

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
mkjcDhsG
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral7/files/0x0008000000015ccc-6.dat	netwire
behavioral7/memory/2280-21-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Executes dropped EXE 1 IoCs

pid	Process
2280	nwire733.exe

Loads dropped DLL 4 IoCs

pid	Process
3028	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe
3028	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe
3028	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe
3028	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwire733.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2240	WScript.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2240	3028	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe	30
PID 3028 wrote to memory of 2240	3028	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe	30
PID 3028 wrote to memory of 2240	3028	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe	30
PID 3028 wrote to memory of 2240	3028	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe	30
PID 3028 wrote to memory of 2280	3028	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe	31
PID 3028 wrote to memory of 2280	3028	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe	31
PID 3028 wrote to memory of 2280	3028	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe	31
PID 3028 wrote to memory of 2280	3028	bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe	31

C:\Users\Admin\AppData\Local\Temp\bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe
"C:\Users\Admin\AppData\Local\Temp\bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Prevent windows from sleeping.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\nwire733.exe
  "C:\Users\Admin\AppData\Local\Temp\nwire733.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Prevent windows from sleeping.vbs

Filesize
153B

MD5
2862ffb5ea32ff114bebe41576441b02

SHA1
d9e78d276186e5ca049724796494489e228ff431

SHA256
0d7cee0c13374181a23e8f605b32f2969c9c490b83c7891318f26bd17777fd7c

SHA512
fc68bf19449801ebe3733d6042684d7a175d446cf893de9e5214abc4db591c8249932590f2528273ea0f3d66a3ec24c1270b067a2fd403926de699893e1b7e9c

Download Submit
\Users\Admin\AppData\Local\Temp\nwire733.exe

Filesize
160KB

MD5
bd69fa31c7ef693b2087026ff56be528

SHA1
e4e7339c6930103511107e8bf9e200850d2227c6

SHA256
7a43319c54992f8a04c06fa89c2dd0d67ebd3813c4ab1b47ccadebef819961ec

SHA512
7d27e31e727e3aaed99bcf250e94be6f78152d5501a838bd7d92a0b24144f65ad39246d9c7bb0e8305d770f0562cdb51c29edeb9bb5cf46664ba5a655672fc28

Download Submit
memory/2280-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-0-0x0000000000400000-0x00000000004161D8-memory.dmp

Filesize
88KB

Download
memory/3028-19-0x0000000000400000-0x00000000004161D8-memory.dmp

Filesize
88KB

Download

Analysis

Sharing