netwire | 1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841

Analysis

max time kernel
138s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
Size

183KB
MD5

20ddd5396553be13fef4c8e6b2b481e9
SHA1

6b109b238c1245c7e81fe0b4a2e2859450e375b6
SHA256

1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841
SHA512

ecb41f267006bf879698376c91d9f5b07537a0cbee0240d631b931a5838376f38e86f6328e22c47520080918a72a397194e3c80f26bfb6496a2a7c9ebffc7d9a
SSDEEP

3072:m8Dsp+FNX1dFOvDlXJu545fL0MgJekMBdSSe/cIN7hIWaWk14FiFTFslv:m8dNXSE5QL0MglEtYcIZLtswlv

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

123.242.227.5:443

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
INTECHNGC-%Rand%
install_path
%AppData%\Eggs\ngcservices.exe
keylogger_dir
%AppData%\EggWriter\
lock_executable
false
mutex
PisPfLxv
offline_keylogger
true
password
letmein
registry_autorun
true
startup_name
EggProducts
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2592-24-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2592-20-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2592-26-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2592-31-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2916-74-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2916-75-0x0000000000400000-0x000000000041F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

ngcservices.exengcservices.exe

pid process

2736 ngcservices.exe
2916 ngcservices.exe

pid	process
2736	ngcservices.exe
2916	ngcservices.exe

Loads dropped DLL 5 IoCs

Processes:

1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exengcservices.exe

pid	process
2192	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
2192	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
2592	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
2736	ngcservices.exe
2736	ngcservices.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ngcservices.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\EggProducts = "C:\\Users\\Admin\\AppData\\Roaming\\Eggs\\ngcservices.exe"	ngcservices.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exengcservices.exe

description	pid	process	target process
PID 2192 set thread context of 2592	2192	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
PID 2736 set thread context of 2916	2736	ngcservices.exe	ngcservices.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
NSIS installer 2 IoCs
installer

Processes:

resource yara_rule

\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe nsis_installer_1
\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe nsis_installer_2

resource	yara_rule
\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe	nsis_installer_2

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exengcservices.exe

description	pid	process	target process
PID 2192 wrote to memory of 2592	2192	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
PID 2192 wrote to memory of 2592	2192	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
PID 2192 wrote to memory of 2592	2192	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
PID 2192 wrote to memory of 2592	2192	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
PID 2192 wrote to memory of 2592	2192	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
PID 2192 wrote to memory of 2592	2192	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
PID 2192 wrote to memory of 2592	2192	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
PID 2192 wrote to memory of 2592	2192	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
PID 2192 wrote to memory of 2592	2192	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
PID 2592 wrote to memory of 2736	2592	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	ngcservices.exe
PID 2592 wrote to memory of 2736	2592	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	ngcservices.exe
PID 2592 wrote to memory of 2736	2592	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	ngcservices.exe
PID 2592 wrote to memory of 2736	2592	1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe	ngcservices.exe
PID 2736 wrote to memory of 2916	2736	ngcservices.exe	ngcservices.exe
PID 2736 wrote to memory of 2916	2736	ngcservices.exe	ngcservices.exe
PID 2736 wrote to memory of 2916	2736	ngcservices.exe	ngcservices.exe
PID 2736 wrote to memory of 2916	2736	ngcservices.exe	ngcservices.exe
PID 2736 wrote to memory of 2916	2736	ngcservices.exe	ngcservices.exe
PID 2736 wrote to memory of 2916	2736	ngcservices.exe	ngcservices.exe
PID 2736 wrote to memory of 2916	2736	ngcservices.exe	ngcservices.exe
PID 2736 wrote to memory of 2916	2736	ngcservices.exe	ngcservices.exe
PID 2736 wrote to memory of 2916	2736	ngcservices.exe	ngcservices.exe

C:\Users\Admin\AppData\Local\Temp\1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
"C:\Users\Admin\AppData\Local\Temp\1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192

C:\Users\Admin\AppData\Local\Temp\1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe
"C:\Users\Admin\AppData\Local\Temp\1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe
"C:\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe
"C:\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2916

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Cheapskate.w
Filesize
87KB

MD5
fef38c1c0a3effe29bfc26c0dd64b74f

SHA1
6cdb0e503864ec97c1ee19af93753fada14d2a95

SHA256
328c89ce136d8854118a67185beb572f23594efe5b9b25662200d85a46025bdf

SHA512
840dee3d9386e15e6c5d65d5b95f0211c1b9ad09bc96b234e533b5eca940d274a1261e7a3d7ab76f2913c048d21ab13503016edc1bf4b63972bd7890a915d078

Download Submit
C:\Users\Admin\AppData\Roaming\MiniHelp.zh.fb2
Filesize
15KB

MD5
ff51f2558cda28074348b0809886b211

SHA1
fb524eb846c2425f3bcd9896a1ef9034ad753cc0

SHA256
df637fcfedd33dbcd5bf6fa1066756790ee00d0e42753c37b657de59da2efca1

SHA512
d666e02ea6de7d90a602b9ef25a7340b80f4659d55d7c5ab9e392f12a10e51f07974db54713b30bba032657db61f8f705100e52542b0106ec3b462187af9cd61

Download Submit
C:\Users\Admin\AppData\Roaming\ScarpFlatboat.JF5
Filesize
4KB

MD5
cd4c6f911730189826815faa544ec3fa

SHA1
fe43e22860e674cfb5391304af3fc852db49e9aa

SHA256
57748394920b5972b37fadb9090af83f973cd522c8adb64b92b0a64d5f1bad34

SHA512
b93f3e05cf3109e54bfc9a1afd48bec7a0d885fa8b3123749178a5ae597c5022dc8794a17a74a599b3506ba03a735a15af8c24ad73867a1885755f41e478194a

Download Submit
C:\Users\Admin\AppData\Roaming\filter.png
Filesize
130B

MD5
d2532067959bb2db3a6edc469af4f114

SHA1
ee5f8cfa30b8fd1ac0ed57af136d2fde00dbb70f

SHA256
a6e11c733726b32bfa967242c04b916bb4d4b31f1b3d348d8ef67c5a64be183c

SHA512
33a72efac30cb8d879cedb105651d1826452396b47827c12a0db8daa97ce12cd71533ef2c438ed28c80063f2666feff01ac3380c761f98cb4e495b2c39cdc759

Download Submit
C:\Users\Admin\AppData\Roaming\toolbar.xrc
Filesize
4KB

MD5
8a3e9e93dcb01d2714b267e1d5c488ca

SHA1
98bdc0332862ad9dc72379160f2232c0acb48548

SHA256
b257c1f7892873000414b5b556b6b13e757b2c8e2e7db271769af33204ddb959

SHA512
d38a075f7570ab245d15986f066b82e411ebc95477cdef1a0c9f1a2565c092d3c50ffbec2e7676215162eec10a5d5e4b77bcd617c071e3f55fb875fcb628e77d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd26F2.tmp\System.dll
Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
\Users\Admin\AppData\Roaming\Eggs\ngcservices.exe
Filesize
183KB

MD5
20ddd5396553be13fef4c8e6b2b481e9

SHA1
6b109b238c1245c7e81fe0b4a2e2859450e375b6

SHA256
1c95e2de3bca3fea01374b156e547a840d0adf592d7ef17155c54fcbc6d69841

SHA512
ecb41f267006bf879698376c91d9f5b07537a0cbee0240d631b931a5838376f38e86f6328e22c47520080918a72a397194e3c80f26bfb6496a2a7c9ebffc7d9a

Download Submit
\Users\Admin\AppData\Roaming\SFhelper.dll
Filesize
60KB

MD5
a2f3195a34dfb07900fc784a32a37d3f

SHA1
7e60c4ec6e1aece0de663f5ca614d22a77cc680b

SHA256
c0234f29167c2d0b6284dd3a32a0a6c1ab9bbd2f2475ccf5c3e758d4070835ea

SHA512
3aaaebdad04878af5a9692308b1ee7f91dd6682f9b046a23e803001bb6df5b87550a06c1c3b4be93169a582935859e3af0fce2947e01d56ead3bb204a9458c55

Download Submit
memory/2192-12-0x0000000000640000-0x000000000064F000-memory.dmp

Filesize
60KB

Download
memory/2592-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-55-0x00000000003F0000-0x00000000003FF000-memory.dmp

Filesize
60KB

Download
memory/2916-74-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2916-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download