netwire | d15142a0a1c59537442b00f66882e45fd824cedeae2e4be53f1d2b7a00246d4c

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
Size

865KB
MD5

427e8565cb7c4bbff0ff3c07205f517a
SHA1

833a20dd03e1e5aed3d4284fde3d6a8208a97c88
SHA256

5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777
SHA512

59240e826ed5c265cc06f89b4826fc0de56e71ae46e19657b88976e89290c01a7320448e5aa82124fcaa88c534d99cee941cc986f57954da6dffc75faadebfeb
SSDEEP

12288:tWEauBVmKa8mdBBh4bgSZuG2U6uKEmaN0:UEaXB3WuIhN

Score

10^/10

netwire botnet defense_evasion discovery rat stealer

Malware Config

Extracted

Family

netwire

deesesejh45.hopto.org:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
oPXDHtoU
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2468-18-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2468-15-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/2468-19-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2408 set thread context of 2468	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	34

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Fol\grxv.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2792	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Fol\grxv.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2368	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2368	AcroRd32.exe
2368	AcroRd32.exe
2368	AcroRd32.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2368	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	30
PID 2408 wrote to memory of 2368	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	30
PID 2408 wrote to memory of 2368	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	30
PID 2408 wrote to memory of 2368	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	30
PID 2408 wrote to memory of 1072	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	31
PID 2408 wrote to memory of 1072	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	31
PID 2408 wrote to memory of 1072	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	31
PID 2408 wrote to memory of 1072	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	31
PID 1072 wrote to memory of 2452	1072	cmd.exe	33
PID 1072 wrote to memory of 2452	1072	cmd.exe	33
PID 1072 wrote to memory of 2452	1072	cmd.exe	33
PID 1072 wrote to memory of 2452	1072	cmd.exe	33
PID 2408 wrote to memory of 2468	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	34
PID 2408 wrote to memory of 2468	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	34
PID 2408 wrote to memory of 2468	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	34
PID 2408 wrote to memory of 2468	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	34
PID 2408 wrote to memory of 2468	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	34
PID 2408 wrote to memory of 2468	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	34
PID 2408 wrote to memory of 2468	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	34
PID 2408 wrote to memory of 2468	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	34
PID 2408 wrote to memory of 2468	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	34
PID 2408 wrote to memory of 2748	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	35
PID 2408 wrote to memory of 2748	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	35
PID 2408 wrote to memory of 2748	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	35
PID 2408 wrote to memory of 2748	2408	5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe	35
PID 2748 wrote to memory of 2792	2748	cmd.exe	37
PID 2748 wrote to memory of 2792	2748	cmd.exe	37
PID 2748 wrote to memory of 2792	2748	cmd.exe	37
PID 2748 wrote to memory of 2792	2748	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
"C:\Users\Admin\AppData\Local\Temp\5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\File.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2368
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Fol\grxv.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
- C:\Users\Admin\AppData\Local\Temp\5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe
  "C:\Users\Admin\AppData\Local\Temp\5a8d72946b1e08785bba3e067a64cdf3735b46834d4edf4d87d1916bd416a777.exe"
  2⤵
  PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Roaming\Fol\grxv.exe.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.pdf

Filesize
29KB

MD5
7c95c654ab8ee6241a26db29af165ddb

SHA1
f8acedba5bc48273138e7b1df59f3ecce869503b

SHA256
f576c01a7b5e8fb5a1cfd3ead4e8c28b27ab80d2b856c20701f7aa039613ab3c

SHA512
add97a2471d7f5df79451c5cbce10ea8dfa8a16fff397bf8b628376dd4b7365342b8222db5fa6e715b95c35e8ec39c28193d5435a435fb016eb6e378371413ba

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
177c1e3fe7f7f5435fffa1ffd397f938

SHA1
4237359ffb6a4ff8da1e22e6cad7e6e0d6d1cb9a

SHA256
6254e3171cab05483caed5bebea5b4f9f2a495960b8a2ec8ee566a97d37c969b

SHA512
d7359d329051bd9cfd78d40817b6527dda8ddd5d31d0e6627ac16b996129243c6ca8a9911654b51c539fd3327df8aa91dfb71420af2ecde70ddd29be02e8d9bd

Download Submit
C:\Users\Admin\AppData\Roaming\Fol\grxv.exe.bat

Filesize
197B

MD5
26c5dede3f6965d7aade19be20056ddb

SHA1
c066470963784b27ad5a74f6a8ba79395b4cf848

SHA256
bcefef097c735b0c88e3e542c54f86eee2031578813e397411e509f6859e3220

SHA512
ed800f4bed246b6148eb5e48139a0070416e496a4eaf7764b41984bb34e2c07862c71c390b10bce69150671d5ab97b10c4d5ed6f5a2b4c1ad40c61fd51305834

Download Submit
memory/2408-1-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-2-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-49-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-48-0x0000000074BB0000-0x000000007515B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-0-0x0000000074BB1000-0x0000000074BB2000-memory.dmp

Filesize
4KB

Download
memory/2468-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2468-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2468-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2468-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2468-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2468-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2468-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download