netwire | 464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e

General

Target

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe
Size

200KB
MD5

beb3ac9d7ab382c17db324f67d1fb1dc
SHA1

07f8cbd1c5e5d534436d6ca8e1f8da9bb6625c8a
SHA256

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e
SHA512

218b874d9f7a5569889da7500af3651e25427b6a922db24b02f913410ecd6301f47d884c20ac3f300c6e5c03bd8a8c182a4acf96a99d93c44e4f27a869078007

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1784-67-0x0000000000B20000-0x0000000000B4C000-memory.dmp	netwire
behavioral1/memory/892-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/892-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/892-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/892-78-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/892-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/892-81-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/892-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xtbGDv.url	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

description pid process target process

PID 1784 set thread context of 892 1784 464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe vbc.exe

description	pid	process	target process
PID 1784 set thread context of 892	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

pid	process
1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe
1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

description pid process

Token: SeDebugPrivilege 1784 464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

description	pid	process
Token: SeDebugPrivilege	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.execsc.exe

description	pid	process	target process
PID 1784 wrote to memory of 828	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	csc.exe
PID 1784 wrote to memory of 828	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	csc.exe
PID 1784 wrote to memory of 828	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	csc.exe
PID 1784 wrote to memory of 828	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	csc.exe
PID 828 wrote to memory of 968	828	csc.exe	cvtres.exe
PID 828 wrote to memory of 968	828	csc.exe	cvtres.exe
PID 828 wrote to memory of 968	828	csc.exe	cvtres.exe
PID 828 wrote to memory of 968	828	csc.exe	cvtres.exe
PID 1784 wrote to memory of 892	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 1784 wrote to memory of 892	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 1784 wrote to memory of 892	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 1784 wrote to memory of 892	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 1784 wrote to memory of 892	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 1784 wrote to memory of 892	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 1784 wrote to memory of 892	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 1784 wrote to memory of 892	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 1784 wrote to memory of 892	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 1784 wrote to memory of 892	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 1784 wrote to memory of 892	1784	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe
"C:\Users\Admin\AppData\Local\Temp\464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oudyejw3\oudyejw3.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA8E.tmp" "c:\Users\Admin\AppData\Local\Temp\oudyejw3\CSC488DB211C0434F449EC676B08CE9E424.TMP"
3⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEA8E.tmp
Filesize
1KB

MD5
002e0dcad8a8d8095821f7cbcd426872

SHA1
d0b712cd9a56b1e8e31002435346abbf6ed673ca

SHA256
d1fe4e9e0bd55b624eb1c597279a239529565e391632b672b2eb8b1bdeb7250c

SHA512
ad1f683954e6a006f07ec44bc36890cc1db68c59aa3dad2f085602ca052e9f1b724d501247b5a82fad4819d6853c094c9a2d106d8a42970aaf9fcd40c15d4b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\oudyejw3\oudyejw3.dll
Filesize
9KB

MD5
2ea7e19a2f3857ddbac570a3cbf583a2

SHA1
2ebc1771e185daf7894276b323ae87ad37d6e6d3

SHA256
e4963e20b98e5ba529e2019a5e3ac515c5e6e4ea5c1951596b1a495b395bb6d2

SHA512
2f41e7f0a2bd1db03ef128e08c04a7c1f581ebc3f4900cbe91a98ea3b36012d100f23876493b82b6e11d57285170af56513517db9c1ba3cece78bcaf5dcad171

Download Submit
C:\Users\Admin\AppData\Local\Temp\oudyejw3\oudyejw3.pdb
Filesize
31KB

MD5
b3d67dbe50b5fbaeb35f0e8c1a9b7472

SHA1
12b1e18c23ead0bf6fc7eb3f8b0635f275410fec

SHA256
90ea693bd4dddf0017fc4036e81580eb653a02008af5c4bb2a971ac019f3e1d4

SHA512
8708ac0475353bd36f57ca75328b130a0af414d7679f71a5f760a8c16922a80ff1d8c358d31f4c8d5bfb44599a2feb6a118761db1db358d1f854846c664536de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oudyejw3\CSC488DB211C0434F449EC676B08CE9E424.TMP
Filesize
1KB

MD5
e5a64c5771efde9c36008b02dd107278

SHA1
ee14728b15d1c37575b9be5221a55d0a925c301a

SHA256
b43efe0b30ecd851f5cc9deb1f41932bffe6c46c8ff7d68380acd83519620f1c

SHA512
26011c854b572f7e59d55d22a833d671563a88330d1554043423572eb2a9ac632361cf417966610547bcadf6b686e5041e85a944b4db5f6943336cfa0ef5029f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oudyejw3\oudyejw3.0.cs
Filesize
13KB

MD5
6910754f2c7780cf3f320f594bd8e6a6

SHA1
eb302a9faa20e15ad3c72a741d4f2462993564ba

SHA256
1fe2d37a4ad8dd97c6b13d1dbf42fe159246af69c2643d19813757e8e01d63ce

SHA512
4da8ac21dc91d7b6a132787646db24407404eb9b901c1c8cf4ba13d5086d6657244c42a342b6af962c5d05470d1a2519dec924bfcbc1459450207b5f054ece82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oudyejw3\oudyejw3.cmdline
Filesize
312B

MD5
a9a327c02d18673ee702c3fb6070e459

SHA1
9ab631651ceb9faa586f3ac955965f6ed4001239

SHA256
64038712b2735148303027d4998c731105e5387e90045964116ad235f3f0dbc4

SHA512
a270e1bad2ead8a6f9219600aa316156b8fd0136f9816b3bf1c63809808f619bdecdee18777adb4e97e2cb2daf46264cb53df453d6502cf8af8f573ac7361cf0

Download Submit
memory/828-55-0x0000000000000000-mapping.dmp

Download
memory/892-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/892-78-0x0000000000402BCB-mapping.dmp

Download
memory/892-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/892-81-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/892-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/892-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/892-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/892-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/892-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/892-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/968-58-0x0000000000000000-mapping.dmp

Download
memory/1784-67-0x0000000000B20000-0x0000000000B4C000-memory.dmp

Filesize
176KB

Download
memory/1784-54-0x0000000000B50000-0x0000000000B88000-memory.dmp

Filesize
224KB

Download
memory/1784-66-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download
memory/1784-65-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/1784-64-0x00000000006E0000-0x0000000000712000-memory.dmp

Filesize
200KB

Download
memory/1784-63-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads