netwire | 699f259d3ca7ab69da25404cdcf081233a956203ea995dff657f8c2114dba50c

General

Target

report..vbs
Size

2KB
MD5

70308f16ec6aed9b2bb1de2b95c954fc
SHA1

72650195a77260155859baa82f82f1b292e5ecff
SHA256

699f259d3ca7ab69da25404cdcf081233a956203ea995dff657f8c2114dba50c
SHA512

0bc476523ae086734f33c74db1ab6fc1e581818c985973e219120b40a950c51c6737e538e68f7bfd6e4b5258a6ce2a682356287af155ef549dae5e794c6ed162

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ia601401.us.archive.org/25/items/bypass_obbv/bypass_obbv.TXT

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://ia601505.us.archive.org/17/items/server-uybb/Server_uybb.txt

Extracted

Family

netwire

C2

185.19.85.172:1723

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3828-176-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3828-177-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/3828-181-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

10 2568 powershell.exe
18 2768 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2768 set thread context of 3828 2768 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings powershell.exe

flow	pid	process
10	2568	powershell.exe
18	2768	powershell.exe

description	pid	process	target process
PID 2768 set thread context of 3828	2768	powershell.exe	aspnet_compiler.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe

pid	process
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2768	powershell.exe
2768	powershell.exe
2768	powershell.exe
2768	powershell.exe
2768	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2568 powershell.exe
Token: SeDebugPrivilege 2768 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exeWScript.exepowershell.exe

description	pid	process	target process
PID 3152 wrote to memory of 2568	3152	WScript.exe	powershell.exe
PID 3152 wrote to memory of 2568	3152	WScript.exe	powershell.exe
PID 2568 wrote to memory of 2332	2568	powershell.exe	WScript.exe
PID 2568 wrote to memory of 2332	2568	powershell.exe	WScript.exe
PID 2332 wrote to memory of 2768	2332	WScript.exe	powershell.exe
PID 2332 wrote to memory of 2768	2332	WScript.exe	powershell.exe
PID 2768 wrote to memory of 3716	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3716	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3716	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3828	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3828	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3828	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3828	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3828	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3828	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3828	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3828	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3828	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3828	2768	powershell.exe	aspnet_compiler.exe
PID 2768 wrote to memory of 3828	2768	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\report..vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\Downloads\Run.ps1'
2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\Run\.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass &'C:\Users\Public\.ps1'
4⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ea6243fdb2bfcca2211884b0a21a0afc

SHA1
2eee5232ca6acc33c3e7de03900e890f4adf0f2f

SHA256
5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

SHA512
189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c85e5e5f7a724752dffb864ba38d8b2b

SHA1
61cc1924a4682229ce0036c6f3e1367450acb3ed

SHA256
661c2d74a80173d86642d0f7a52c0db438411d120b314a62a0d468ac640ada76

SHA512
bc74f49d8107f22b1525cbdd09f48d5aad4cce9e425ea05269701a2fa3916ff64a822e5767bc30a06c2caf8243beda46e43db9d88c9173da9bc33363ffe5afc4

Download Submit
C:\Users\Public\.ps1
MD5
cf97a3b233badaea5e5f76e1e3cedc9d

SHA1
3392098ebe94be6318fa25c9100c5418056b3654

SHA256
296711508c0f8f0e4d31593f5995ee4cc03b1d759d4a372fba77a169318f6d21

SHA512
47a098883bf7ef896493012da0131fb1643f7af45f31b718fb94d170964ef1d2cd3b2bf3a7ea87166e781d73943e3fadac01dad8843f29a774d4ed557425acbe

Download Submit
C:\Users\Public\Downloads\Run.ps1
MD5
cdcd549275cb60156bdd3f689d8858ea

SHA1
6c46777d3f4fc3a2d18c0b378b7edcde5d9c502c

SHA256
62324fff798253265e04d2f6bb12cb36eb5faa35273322ecef726a2c73d86dc0

SHA512
4e02fff95fc763370c6d38e9192de6e0bf62e4383fb89c082df51bc6436afb852e2e95f54982769d02c8f834c111a9b7a40dec26810f784e77b4d535d0920f22

Download Submit
C:\Users\Public\Run\.vbs
MD5
17ebb4c06e80f056a5ac11aaa2b1010c

SHA1
d3421c4cd4b204583068996c1849188238a6cd22

SHA256
a05ef5de2d8063812442ec091bcef0d33e66d94ca54feb8744038552e1284489

SHA512
d9f9412d65d1ffee143fb9395a33569c66817940636c89e07f00099e0ce1d8b3d866438cb59641b16d7f9aa628be5e0c2b4264899b87cbb2a88abdf691759401

Download Submit
memory/2332-151-0x0000000000000000-mapping.dmp

Download
memory/2568-127-0x000001B86FA73000-0x000001B86FA75000-memory.dmp

Filesize
8KB

Download
memory/2568-119-0x000001B86F9C0000-0x000001B86F9C1000-memory.dmp

Filesize
4KB

Download
memory/2568-114-0x0000000000000000-mapping.dmp

Download
memory/2568-130-0x000001B86FA76000-0x000001B86FA78000-memory.dmp

Filesize
8KB

Download
memory/2568-125-0x000001B86FA70000-0x000001B86FA72000-memory.dmp

Filesize
8KB

Download
memory/2568-122-0x000001B86FB80000-0x000001B86FB81000-memory.dmp

Filesize
4KB

Download
memory/2768-165-0x000001C087730000-0x000001C087732000-memory.dmp

Filesize
8KB

Download
memory/2768-154-0x0000000000000000-mapping.dmp

Download
memory/2768-167-0x000001C087733000-0x000001C087735000-memory.dmp

Filesize
8KB

Download
memory/2768-172-0x000001C087736000-0x000001C087738000-memory.dmp

Filesize
8KB

Download
memory/2768-173-0x000001C0890C0000-0x000001C0890CE000-memory.dmp

Filesize
56KB

Download
memory/3828-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3828-177-0x000000000040242D-mapping.dmp

Download
memory/3828-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads