netwire | d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77

General

Target

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe
Size

376KB
MD5

bacd89514912553f8e066683c16ea373
SHA1

4d213d62c33caacec7f6cace6746c3ec732bd13f
SHA256

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77
SHA512

5c8e972a534bb43cde098bf2ca684acee87357ccfb258b9bf9c01f4bda9f3704255bc784465706f634e3851228fd6dd0b89367f9657a4e1021217de4f1e22583

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/548-67-0x0000000002000000-0x000000000202C000-memory.dmp	netwire
behavioral1/memory/1952-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-78-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1952-81-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

description pid process target process

PID 548 set thread context of 1952 548 d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe vbc.exe

description	pid	process	target process
PID 548 set thread context of 1952	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

pid	process
548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe
548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

description pid process

Token: SeDebugPrivilege 548 d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

description	pid	process
Token: SeDebugPrivilege	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.execsc.exe

description	pid	process	target process
PID 548 wrote to memory of 916	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	csc.exe
PID 548 wrote to memory of 916	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	csc.exe
PID 548 wrote to memory of 916	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	csc.exe
PID 548 wrote to memory of 916	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	csc.exe
PID 916 wrote to memory of 1300	916	csc.exe	cvtres.exe
PID 916 wrote to memory of 1300	916	csc.exe	cvtres.exe
PID 916 wrote to memory of 1300	916	csc.exe	cvtres.exe
PID 916 wrote to memory of 1300	916	csc.exe	cvtres.exe
PID 548 wrote to memory of 1952	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 548 wrote to memory of 1952	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 548 wrote to memory of 1952	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 548 wrote to memory of 1952	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 548 wrote to memory of 1952	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 548 wrote to memory of 1952	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 548 wrote to memory of 1952	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 548 wrote to memory of 1952	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 548 wrote to memory of 1952	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 548 wrote to memory of 1952	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 548 wrote to memory of 1952	548	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe
"C:\Users\Admin\AppData\Local\Temp\d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qgi5e3y2\qgi5e3y2.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89AA.tmp" "c:\Users\Admin\AppData\Local\Temp\qgi5e3y2\CSCB9F3623EE100424C9E207519C6B477C.TMP"
3⤵
PID:1300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES89AA.tmp

Filesize
1KB

MD5
c8c5e83349d29783fc090932d7878ef1

SHA1
065f526bcfa949925e973041cb1fa26804a0dec4

SHA256
bad5f602be4e872eb05a9fbac6e53f94c0851b42b4815bd92c58c15ef48ba008

SHA512
9fcfdf92b504f996b5a34f33c118502421022926ff8a9da15849af830f51a9b940bcf592b4f64664a7bd918bd241cfbfb47a45169d4854caba201e0915f03d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgi5e3y2\qgi5e3y2.dll

Filesize
11KB

MD5
c3095e30ad92c20dc3ab3e227ee1a9b5

SHA1
f3ae8d037b8e4fcba4e3fdec1c078818642ee2d4

SHA256
8b03f7adf322b50c3d2cdf551fdd567c59176046afa27bc4b0d5cdbca1add85b

SHA512
a14485b4fb4ab324663b07f6a3428ef9e29d13ff93e0a24cd8aee25cbdf45902697b699e993bb19412c6a80f54c4d951f157f26b8983c6071ec5d7b833283897

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgi5e3y2\qgi5e3y2.pdb

Filesize
39KB

MD5
bba725a0245a62f839ec064d330c736d

SHA1
4b6e9e4711e2d1a338da2f98a4d21686c25214df

SHA256
ad3a5f5115fb997828d3ec14dce962e61dbc82b75a1aa83b558904542fb5fe9e

SHA512
6e9f64b676a3d492468324adc87d6d9d17420ae338c10b7460abb5db730d481d571edca1cfad1649b314f92ef407f57469090f3f749ee63a30decd7935e0e65b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qgi5e3y2\CSCB9F3623EE100424C9E207519C6B477C.TMP

Filesize
1KB

MD5
28902a21976ab3527fb87e85d1c43010

SHA1
63aba30bbcff307b426bfd1ad9ebe3467c3b4d90

SHA256
fc54e150b61228507607be672e3611ecb9be622a6f2b77eca59068ac9744d936

SHA512
6e804ffae0e6e677a6ce186684fda2149d8978ddb5ade6d8b9f036da1fa74136221ee86f2c07b2c590dfcc56c56c0ce42f0ffacbccb895b3d6ead83aff57386a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qgi5e3y2\qgi5e3y2.0.cs

Filesize
18KB

MD5
44795ae4b36aa11571536c25c39c3474

SHA1
9cefffbb14c0aee82dc8455b3a9f251147d029ba

SHA256
3f0d8ad011a847452407a58f24fdd34117e438d56489dc50da89323c54ec5773

SHA512
889e75da87a6a2e8a9a91b851bb4973679f9a67178a8a679c83b6815994c30d694ef9f25b5b80cc0b32f71e18fc0aaf9ffd93abf96c9f0d0a9fe97ad6b7fc0bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qgi5e3y2\qgi5e3y2.cmdline

Filesize
312B

MD5
15b7fcd65e8e6896b9d1171d0b81108f

SHA1
4b083b45cbdd7ca0c0826052e22e2583d685c9bb

SHA256
e498baa7cc350bcebeffa52d4f8dd372c48acc0f9a7c7f59051a8cdc28fbcd97

SHA512
2b4497adbb99c97a9585a081fd943dd51853c78f597bc7f38d9f139a363ee564b2223dbacbd19631764cf4bad9326be53b596b472934b5219b57cecefacae802

Download Submit
memory/548-66-0x0000000075D21000-0x0000000075D23000-memory.dmp

Filesize
8KB

Download
memory/548-63-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/548-64-0x00000000007E0000-0x0000000000812000-memory.dmp

Filesize
200KB

Download
memory/548-65-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/548-54-0x0000000000B90000-0x0000000000BF2000-memory.dmp

Filesize
392KB

Download
memory/548-67-0x0000000002000000-0x000000000202C000-memory.dmp

Filesize
176KB

Download
memory/916-55-0x0000000000000000-mapping.dmp

Download
memory/1300-58-0x0000000000000000-mapping.dmp

Download
memory/1952-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-78-0x0000000000402BCB-mapping.dmp

Download
memory/1952-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-81-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads