netwire

Sharing

Copy URL

Twitter E-mail

General

Target

EMV Reader Writer.rar
Size

8.2MB
Sample

250403-lbwqfstxhw
MD5

e9427c6f27d0eaa13da84bbfa2f48c07
SHA1

3aa9265af13ab73af7a4677f0e25cee5a27f5fb4
SHA256

8b2c1c503028727000a3c4c10afcde49894d1931b3099a3ab6549d3f7d545276
SHA512

641bfc00709539417869846dee4154156aff34eab30759281693f92b3d1853df08c8e654e73337bbd7e21a590f826673ba53a815ecd280b5021aa26d18c966da
SSDEEP

196608:RsvkQ+h6JkQ+h67+Zx2Grp9bGUCDuhBNf4PKRYPHbF+W6HB5F8UCDuhBNf4PKRU0:Rs/+sJ+s7+Zx2FUCDYLRDbHJ8UCDYLR3

Score

10^/10

Malware Config

Extracted

Family

netwire

local.cable-modem.org:3361

teamviewer.ddns.net:3361

optic.cable-modem.org:3361

teamviewer.ddns.me:3361

logmein.loginto.me:3361

Attributes

activex_autorun
true
activex_key
{LYN464PX-ITSA-6EUY-J762-UKD6Y5BMGV3H}
copy_executable
true
delete_original
false
host_id
Milionare
install_path
%AppData%\mscftmon\ntsvc32.exe
keylogger_dir
%AppData%\metmsfmon\metaolgs.dat\
lock_executable
false
mutex
cVNWvLvU
offline_keylogger
true
password
anjing
registry_autorun
true
startup_name
winipcservices
use_mutex
true

Targets

- Target
  
  EMV Reader Writer/EMV Reader Writer/EMV Reader Writer Software V8.5.exe
- Size
  
  600KB
- MD5
  
  5b1df20ca9a036c586b419dee459601b
- SHA1
  
  3b50df96cd3e5456652b29cb93dea532da6e9b39
- SHA256
  
  79502f9bbaf79f22644838f3a58b53694d09bb9b3fa658f73a4576ad01dc765c
- SHA512
  
  86aace95fdd64dac7914e349b32337976b059f2c16a8eba957a29398527e8b45720b754f45591cf3633cba482429f915897864fdedbe00eccf625736d30130a4
- SSDEEP
  
  12288:xdfYgiiKfLs4qzQevE4Hxf+V/OPM33Sh2y4HnG1LJ9KdzW9QwWrugU+6:fYgfwRqzbBHl+gE33S0BHIKdWywn
Score

10^/10

discovery persistence
- Modifies WinLogon for persistence
  persistence
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  EMV Reader Writer/EMV Reader Writer/EmvManual.rtf
- Size
  
  14.8MB
- MD5
  
  0f43d2e0fd0d4661f2e7799070245587
- SHA1
  
  275d687f6e4f8a83011ba43735256de3cd06a6e3
- SHA256
  
  a8cf72ddd20d716ce862a23428cfdb9b1bb168a57652e12a9e95bb3b21359032
- SHA512
  
  60c3540d3dd36c564b2cf3a4c917674a1fcc0eee4fcb6c6a59b43499f31d0beed06a91f42881ee09baaa2d98ebb5ddec30024e23fa66e9534c10981010c74fb8
- SSDEEP
  
  6144:qoufDrLggDHTseUjMXCZr2418l43Wmc8SBbVUUUmYAUUUpD7mou40eIRUUUkeeb8:RN1hqYTRQGPFNptTLIlkEwlr
Score

1^/10
behavioral2
- Target
  
  EMV Reader Writer/EMV.exe
- Size
  
  676KB
- MD5
  
  c02eb2922d0d441d0feb165978bace0b
- SHA1
  
  1742e04ea8268a87d4308bf462ea0b2196c04363
- SHA256
  
  e7c4ccc44305bbf8832946347be0774fee2bbce6dd1602651f1bfcb7ba3c0e6a
- SHA512
  
  a61eadd7eded59fc855ea5e068fb25037d869972d309944eb79f466552334a12c41caae5754b293539693ff93d1a0d1651dfd321e272c439d41143ae01398ec7
- SSDEEP
  
  12288:20Yu2IAbjFm4Eq7duqXXyFsKJ0kXky/u523DjUN3npCeYHfDugU+6:LYutAbjwo7dhyS4W523UN5C72
Score

10^/10

discovery persistence
- Modifies WinLogon for persistence
  persistence
behavioral3
- Target
  
  EMV Reader Writer/EmvManual.rtf
- Size
  
  14.8MB
- MD5
  
  0f43d2e0fd0d4661f2e7799070245587
- SHA1
  
  275d687f6e4f8a83011ba43735256de3cd06a6e3
- SHA256
  
  a8cf72ddd20d716ce862a23428cfdb9b1bb168a57652e12a9e95bb3b21359032
- SHA512
  
  60c3540d3dd36c564b2cf3a4c917674a1fcc0eee4fcb6c6a59b43499f31d0beed06a91f42881ee09baaa2d98ebb5ddec30024e23fa66e9534c10981010c74fb8
- SSDEEP
  
  6144:qoufDrLggDHTseUjMXCZr2418l43Wmc8SBbVUUUmYAUUUpD7mou40eIRUUUkeeb8:RN1hqYTRQGPFNptTLIlkEwlr
Score

1^/10
behavioral4
- Target
  
  EMV Reader Writer/X1 4.1/Cardpeek currency.rtf
- Size
  
  52KB
- MD5
  
  6fc2132e6874b5d0d516d4594880b64a
- SHA1
  
  e5f82e7260aacbf6e011e50ae697423637db2b53
- SHA256
  
  e383e121b0ba471250035f3bdd701674830a02bf621034dfafcb406ab1814ebd
- SHA512
  
  70911b210b87e91b76c828f8667dd4552f34555e4e9fec05b44717c4d2cb62f0273bc14bf081e0a8c35579b26350931c435db235924dbe0f79dce8751393bda4
- SSDEEP
  
  768:3R3b8AJsgmqksx7jQUPA6AFDFCRUfgZPeEV:3x3Bz4C8EP7V
Score

1^/10
behavioral5
- Target
  
  EMV Reader Writer/X1 4.1/GPPcScConnectionPlugin.dll
- Size
  
  12KB
- MD5
  
  d65463fc8a37261b6bf5afbc4139bdd5
- SHA1
  
  954076a2b56da1ff82eebe0c0c287110137f7cb1
- SHA256
  
  789734bbab7b606e27fab43f4706250399108dba98e4428d1b95589db0a42ea2
- SHA512
  
  cd3673e1feb07dfc86a33d499cddf7f34368bcacbbe8207826b81f9a96d9ebc74e7455170e195ae316785b42dcc871f842dfa1d0949df9f77e8738b8906339b0
- SSDEEP
  
  192:udqzHW3G3Vxv3bV/4DaRWu1Fh8+5FseTqt1emjQjA11Tml3X+EqEvaKGZ:udqzHW3G3DvbV/4Daw27vtTqtQU1xm5D
Score

3^/10

discovery
behavioral6
- Target
  
  EMV Reader Writer/X1 4.1/GlobalPlatform.dll
- Size
  
  767KB
- MD5
  
  4696b9fae32c96d487daa887d830261b
- SHA1
  
  e01f46ed39108d0fb7b57d7ec50fc688fbceb72b
- SHA256
  
  d516e641e63f4195c374ecedbee074c345af178d703fa0761c990141e056b992
- SHA512
  
  0b31bed9e8003ea915013d16561557d46e0ae6e7809d578e27f91dc346379cb47c3f2e50d815f3f49f8135eee5ca72693984eec428137eea2f77e581d1bfb7ac
- SSDEEP
  
  12288:tFmm3ESOWLzt9+5uxqUHudv3p6hUhJO4NdKVAZD53pqYK6oKs:Dx3ESM5uxqUHuJDhJO4n4AZ93pqYK6oJ
Score

3^/10

discovery
behavioral7
- Target
  
  EMV Reader Writer/X1 4.1/bins.dll.exe
- Size
  
  2.1MB
- MD5
  
  7ab812d82b3baaf3cd337aa43e91acde
- SHA1
  
  cbb7f418139eada36eaa57d4f39dde11fc577108
- SHA256
  
  c0fd4a64f7e529f3b5e98b70c048e2a2009cba5ba03eb919eaef864000c416cc
- SHA512
  
  d40b019150ca06bf3eed54941f84675529db32d5654bc1ca69af838032552489d2d767372cf7bb18560bef297263a731e96bbaa9d0c9760f1b164f20200c5df7
- SSDEEP
  
  24576:0PkGgW8ugdGJYDLoL/vddOUmB5I4LjbrMChWVeTsAkYGipeT:XwxH1ah4UTtkYVw
Score

3^/10

discovery
behavioral8
- Target
  
  EMV Reader Writer/X1 4.1/zlib1.dll
- Size
  
  105KB
- MD5
  
  b8a9e91134e7c89440a0f95470d5e47b
- SHA1
  
  3cbcee30fc0a7e9807931bc0dafceb627042bfc9
- SHA256
  
  42967a768f341d9ce5174eb38a4d63754c3c41739e7d88f4e39cd7354c1fac71
- SHA512
  
  e8583ea94b9d1321889359317e367abc88e90e96d0d9243258244a527ffa2b13ab97d0787693ca328960ceb934ea11eefd14abafd640a654473c26e420d2ec54
- SSDEEP
  
  3072:Y15jVjUqf9CtXH/4UghkGTBfmJyqLEC9BRY:Yf81wpTB+Jyqb
Score

3^/10

discovery
behavioral9
- Target
  
  EMV Reader Writer/X1v5/GPPcScConnectionPlugin.dll
- Size
  
  12KB
- MD5
  
  d65463fc8a37261b6bf5afbc4139bdd5
- SHA1
  
  954076a2b56da1ff82eebe0c0c287110137f7cb1
- SHA256
  
  789734bbab7b606e27fab43f4706250399108dba98e4428d1b95589db0a42ea2
- SHA512
  
  cd3673e1feb07dfc86a33d499cddf7f34368bcacbbe8207826b81f9a96d9ebc74e7455170e195ae316785b42dcc871f842dfa1d0949df9f77e8738b8906339b0
- SSDEEP
  
  192:udqzHW3G3Vxv3bV/4DaRWu1Fh8+5FseTqt1emjQjA11Tml3X+EqEvaKGZ:udqzHW3G3DvbV/4Daw27vtTqtQU1xm5D
Score

3^/10

discovery
behavioral10
- Target
  
  EMV Reader Writer/X1v5/GlobalPlatform.dll
- Size
  
  767KB
- MD5
  
  4696b9fae32c96d487daa887d830261b
- SHA1
  
  e01f46ed39108d0fb7b57d7ec50fc688fbceb72b
- SHA256
  
  d516e641e63f4195c374ecedbee074c345af178d703fa0761c990141e056b992
- SHA512
  
  0b31bed9e8003ea915013d16561557d46e0ae6e7809d578e27f91dc346379cb47c3f2e50d815f3f49f8135eee5ca72693984eec428137eea2f77e581d1bfb7ac
- SSDEEP
  
  12288:tFmm3ESOWLzt9+5uxqUHudv3p6hUhJO4NdKVAZD53pqYK6oKs:Dx3ESM5uxqUHuJDhJO4n4AZ93pqYK6oJ
Score

3^/10

discovery
behavioral11
- Target
  
  EMV Reader Writer/X1v5/X1.exe
- Size
  
  2.0MB
- MD5
  
  4dcad2976d44b39374049f9ebbc12115
- SHA1
  
  043b4ce521eea2265c13b25c9177f769d066ce4c
- SHA256
  
  d22a6211b7d1e90142395aa3c55a6ee6e4bc563409b3fe27a2b19e1a61f5b869
- SHA512
  
  a8bdf5e42656633fe620af81eb6ba41a67c317925f92b8e8f56303ae5a6847e1f583ff27aef377366810e1e7d78eb9202d369f4ba9598ac043c4e48f6751f0c9
- SSDEEP
  
  49152:aJqoQryTkMx8aWuClGvkVaAXb4kqNEhjt7QrrePkvvWrv+Y:a4ryTTxelGv0aojhVereWvgGY
Score

10^/10

netwire botnet discovery persistence rat stealer
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Netwire family
  netwire
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral12
- Target
  
  EMV Reader Writer/X1v5/sqlite3.dll
- Size
  
  628KB
- MD5
  
  2db34c7d07707168429b0b2633ff75c0
- SHA1
  
  0b29505703900208db71e8d8ae0e675fac2c4d57
- SHA256
  
  b645921e5d6ef89a1899d5cde3f3a54caec9280416290922c9d3638d3ecf49ab
- SHA512
  
  fda845b49ca94f7f2e6ca1b52819385adc46000b8cc7f7f58ca9811bbdb4e8afc3954a41a0050c4f5a44f82dc6d9c41dce38f12e81c254ce2088b139f7750d84
- SSDEEP
  
  12288:KdqTscFyl44oV1p7q5QyDYrUb+eGbOTV7KFnAzcR:KJl44Sz7iQbrPdOTJzcR
Score

3^/10

discovery
behavioral13
- Target
  
  EMV Reader Writer/X1v5/zlib1.dll
- Size
  
  105KB
- MD5
  
  b8a9e91134e7c89440a0f95470d5e47b
- SHA1
  
  3cbcee30fc0a7e9807931bc0dafceb627042bfc9
- SHA256
  
  42967a768f341d9ce5174eb38a4d63754c3c41739e7d88f4e39cd7354c1fac71
- SHA512
  
  e8583ea94b9d1321889359317e367abc88e90e96d0d9243258244a527ffa2b13ab97d0787693ca328960ceb934ea11eefd14abafd640a654473c26e420d2ec54
- SSDEEP
  
  3072:Y15jVjUqf9CtXH/4UghkGTBfmJyqLEC9BRY:Yf81wpTB+Jyqb
Score

3^/10

discovery
behavioral14