netwire | bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cb

General

Target

bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe
Size

296KB
MD5

ca239e74778ea238c877d0a08ff014e0
SHA1

cd3cce3b44b9b21384b292add85ee800ca4a6166
SHA256

bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cb
SHA512

5af6a0b7ac51b546bd9309c9a0bfcb6ace1fb12cc7ad288734483e02c478c9924bb39e117c13678856fbbc76aa04fe8570f7754e2aeb1c2935f6c82997feb4fb
SSDEEP

3072:tg6pbDIqOnD6rdKRMvXs+oCTZG9QBNctlVeFAnhPQ12uDefLFmLf9WL5Bcxw:5Ddrvv8O1Ga9qtH5mLfoA

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

wealthyman.brasilia.me:39560

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
WEALTH
keylogger_dir
%AppData%\music\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2920-429-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2920-431-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Executes dropped EXE 1 IoCs

pid	Process
2920	Haandevendingerne.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe
File opened for modification	C:\Windows\win.ini	Haandevendingerne.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Haandevendingerne.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2312	bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe
2920	Haandevendingerne.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2920	Haandevendingerne.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2852	2312	bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe	30
PID 2312 wrote to memory of 2852	2312	bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe	30
PID 2312 wrote to memory of 2852	2312	bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe	30
PID 2312 wrote to memory of 2852	2312	bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe	30
PID 2312 wrote to memory of 2932	2312	bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe	32
PID 2312 wrote to memory of 2932	2312	bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe	32
PID 2312 wrote to memory of 2932	2312	bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe	32
PID 2312 wrote to memory of 2932	2312	bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe	32
PID 1644 wrote to memory of 2920	1644	taskeng.exe	35
PID 1644 wrote to memory of 2920	1644	taskeng.exe	35
PID 1644 wrote to memory of 2920	1644	taskeng.exe	35
PID 1644 wrote to memory of 2920	1644	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe
"C:\Users\Admin\AppData\Local\Temp\bb4773c106ac654769bca2778273b3efc76226a93cee33cfa2c099fc9d0e44cbN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Evakostumet1" /TR "C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2852
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /run /tn "Evakostumet1"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2932

C:\Windows\system32\taskeng.exe
taskeng.exe {12755D09-05D2-4BDF-AAC2-AF50771C04CA} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe
  C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of UnmapMainImage
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Haandevendingerne.exe

Filesize
296KB

MD5
4acfd830113a6da904c6397850610a72

SHA1
09a259a8f4ac047c3402238a5f852f333dd6f0d2

SHA256
2c639ebd748cb27f6345c2bf5dc4ce0e5179b923b401cc7c392323266660d934

SHA512
d45fc8351cee4a336e1d11e7ce19380571d1a54fdc79510e2a04d97aedb0fa5f6e50e500af5f6a25d2c053779af6d038b14c659afb326ce84480a74632a86f40

Download Submit
C:\Windows\win.ini

Filesize
497B

MD5
80f15b158c49b73757d1dde727355db7

SHA1
212a5c033130af8e8254d2b7a4a6c8762628ec91

SHA256
0df5cecf65125ca8de5b8a599400bda1aa3700b43f9f73ac91c2261da7946368

SHA512
767af13228a26d8b8ff2dfdefa223045638df6e37d4e614274c425e2e70cd12125a933946da286c1375e892668decd732300e22d301b4c8087f887dabf13050a

Download Submit
memory/2312-212-0x00000000773C0000-0x0000000077496000-memory.dmp

Filesize
856KB

Download
memory/2920-429-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2920-430-0x0000000072940000-0x0000000072A60000-memory.dmp

Filesize
1.1MB

Download
memory/2920-431-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads