355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin

General
Target

355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe

Filesize

212KB

Completed

19-07-2021 15:17

Score
10 /10
MD5

aeae64fab4622ed23e1c61d26de74249

SHA1

5dabbf8093eed124e64a7e39c83e14976a74b8bb

SHA256

355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065

Malware Config

Extracted

Family netwire
C2

127.0.0.1:3360

chrisle79.ddns.net:4414

jacknop79.ddns.net:4414

smath79.ddns.net:4414

whatis79.ddns.net:4414

goodgt79.ddns.net:4414

bonding79.ddns.net:4414

Attributes
activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
June 2021
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Password2$
registry_autorun
false
startup_name
use_mutex
false
Signatures 8

Filter: none

Defense Evasion
Persistence
  • Modifies WinLogon for persistence
    355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe

    TTPs

    Winlogon Helper DLLModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\2BYsn3pjWNDCuUWQ\\HZO0JD5kzRL2.exe\",explorer.exe"355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
  • NetWire RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1520-62-0x0000000000400000-0x0000000000436000-memory.dmpnetwire
    behavioral1/memory/1520-63-0x0000000000402453-mapping.dmpnetwire
    behavioral1/memory/1520-65-0x0000000000400000-0x0000000000436000-memory.dmpnetwire
  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext
    355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 484 set thread context of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
  • Suspicious behavior: EnumeratesProcesses
    355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe

    Reported IOCs

    pidprocess
    484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
    484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
  • Suspicious use of AdjustPrivilegeToken
    355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
    Token: SeDebugPrivilege484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
  • Suspicious use of WriteProcessMemory
    355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 484 wrote to memory of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
    PID 484 wrote to memory of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
    PID 484 wrote to memory of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
    PID 484 wrote to memory of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
    PID 484 wrote to memory of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
    PID 484 wrote to memory of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
    PID 484 wrote to memory of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
    PID 484 wrote to memory of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
    PID 484 wrote to memory of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
    PID 484 wrote to memory of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
    PID 484 wrote to memory of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
    PID 484 wrote to memory of 1520484355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exevbc.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin.exe"
    Modifies WinLogon for persistence
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:484
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      PID:1520
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/484-60-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

                      • memory/484-61-0x00000000001E0000-0x00000000001E1000-memory.dmp

                      • memory/1520-62-0x0000000000400000-0x0000000000436000-memory.dmp

                      • memory/1520-63-0x0000000000402453-mapping.dmp

                      • memory/1520-65-0x0000000000400000-0x0000000000436000-memory.dmp