netwire | d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77

General

Target

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe
Size

376KB
MD5

bacd89514912553f8e066683c16ea373
SHA1

4d213d62c33caacec7f6cace6746c3ec732bd13f
SHA256

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77
SHA512

5c8e972a534bb43cde098bf2ca684acee87357ccfb258b9bf9c01f4bda9f3704255bc784465706f634e3851228fd6dd0b89367f9657a4e1021217de4f1e22583

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/936-142-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/936-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/936-145-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

description pid process target process

PID 3744 set thread context of 936 3744 d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe vbc.exe

description	pid	process	target process
PID 3744 set thread context of 936	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

pid	process
3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe
3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

description pid process

Token: SeDebugPrivilege 3744 d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

description	pid	process
Token: SeDebugPrivilege	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.execsc.exe

description	pid	process	target process
PID 3744 wrote to memory of 2096	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	csc.exe
PID 3744 wrote to memory of 2096	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	csc.exe
PID 3744 wrote to memory of 2096	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	csc.exe
PID 2096 wrote to memory of 4092	2096	csc.exe	cvtres.exe
PID 2096 wrote to memory of 4092	2096	csc.exe	cvtres.exe
PID 2096 wrote to memory of 4092	2096	csc.exe	cvtres.exe
PID 3744 wrote to memory of 936	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 3744 wrote to memory of 936	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 3744 wrote to memory of 936	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 3744 wrote to memory of 936	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 3744 wrote to memory of 936	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 3744 wrote to memory of 936	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 3744 wrote to memory of 936	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 3744 wrote to memory of 936	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 3744 wrote to memory of 936	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe
PID 3744 wrote to memory of 936	3744	d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe
"C:\Users\Admin\AppData\Local\Temp\d8923dd88b902706ac95c8fadd073dddf17cc2c5cc3b40fdfc9795e6e3fc7e77.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gmddskwz\gmddskwz.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CDC.tmp" "c:\Users\Admin\AppData\Local\Temp\gmddskwz\CSCB361D7CCB75F450D9493D647643F86.TMP"
3⤵
PID:4092

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2CDC.tmp

Filesize
1KB

MD5
d2ebbb468edc447ab3d243f618c6ea48

SHA1
256ca68372463dde1bd17c13479fc190f9c473fa

SHA256
e1794b1cb1c87cb02467826f3796a37d7e4b77b9d19a1595305a31e7286bd80a

SHA512
7fee3566c953b5f6f8631ada02ca2d465754e2f1a42466116d065575bc62b87a40cc27a6c96f244641037efea11ce8d72b80f43aba22c13d0c2cf003eab7e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmddskwz\gmddskwz.dll

Filesize
11KB

MD5
5018d104c5ca9479eec573e23c9d556e

SHA1
a9f7887a9ed65e0535664220a3dc6cf657709065

SHA256
6b4f4df335e99c6e7fc0e18563822fa8da850c27b7e93b86ad15bfb4abd106c1

SHA512
932dd61d2a25b91210e2832363d29123e258b3fd1a9dd8ad366d5487ec938a800ac7460e449a4a2600444d613b113a728bd6dc1c6d07fe962f796b4e0c08c7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmddskwz\gmddskwz.pdb

Filesize
39KB

MD5
929e706ae0ace3db1ddcc373a38074a7

SHA1
18b88e63ed9ca2ceaaa3698244ccc480dab92eec

SHA256
6e1f314137fc1cb8c2d867704ee6d3a9bf8449b847d1de0b8fe9fca2edafa284

SHA512
cad56f0703aebb10f0aa1ef29925d13bc426369b36ed55cbd1d5c0640fb42c02f694cc94c7a2615760a569e2b6e72eee80f4dbc882e8806f7453a0f01a159e72

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gmddskwz\CSCB361D7CCB75F450D9493D647643F86.TMP

Filesize
1KB

MD5
e201c07e4f2d83860f333ea90db42c25

SHA1
193e1e4a72e8710829d8fd7bc94f16a2e1683173

SHA256
b219ac79ba388cce4ac70413a3d11686b6822a3f8ee3c1b685af401a0660554e

SHA512
219d82309aa968446c70e32dd28790c08be09300e988ad3bc33d5631de09b34dd772b85efe850a8d6949e9ffd23840ee96e6f646185553cee4fa7faf2d177951

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gmddskwz\gmddskwz.0.cs

Filesize
18KB

MD5
44795ae4b36aa11571536c25c39c3474

SHA1
9cefffbb14c0aee82dc8455b3a9f251147d029ba

SHA256
3f0d8ad011a847452407a58f24fdd34117e438d56489dc50da89323c54ec5773

SHA512
889e75da87a6a2e8a9a91b851bb4973679f9a67178a8a679c83b6815994c30d694ef9f25b5b80cc0b32f71e18fc0aaf9ffd93abf96c9f0d0a9fe97ad6b7fc0bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gmddskwz\gmddskwz.cmdline

Filesize
312B

MD5
a1ec17c5fd0f0b93535f9d6fb302d513

SHA1
a0181ef7db5e53f84c56c5b6bbda5daa790ca8db

SHA256
2aa2365b2a3f2f76b944263c89d946763ae2ad73ee70a59341837bf3e321f5d1

SHA512
26dcb4d87c1f6fe9c121752701a7a2ce41791881568e47c7136a18fb847c1f171a65f9e0f2b2d6436ce04e9475ac937023c0f4f9b470ffaec332138b028814d0

Download Submit
memory/936-141-0x0000000000000000-mapping.dmp

Download
memory/936-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/936-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/936-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2096-131-0x0000000000000000-mapping.dmp

Download
memory/3744-130-0x00000000005C0000-0x0000000000622000-memory.dmp

Filesize
392KB

Download
memory/3744-139-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/3744-140-0x00000000056F0000-0x000000000578C000-memory.dmp

Filesize
624KB

Download
memory/4092-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads