netwire | 464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e

General

Target

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe
Size

200KB
MD5

beb3ac9d7ab382c17db324f67d1fb1dc
SHA1

07f8cbd1c5e5d534436d6ca8e1f8da9bb6625c8a
SHA256

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e
SHA512

218b874d9f7a5569889da7500af3651e25427b6a922db24b02f913410ecd6301f47d884c20ac3f300c6e5c03bd8a8c182a4acf96a99d93c44e4f27a869078007

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4628-142-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4628-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4628-145-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xtbGDv.url	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

description	pid	process	target process
PID 4068 set thread context of 4628	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

pid	process
4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe
4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

description pid process

Token: SeDebugPrivilege 4068 464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

description	pid	process
Token: SeDebugPrivilege	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.execsc.exe

description	pid	process	target process
PID 4068 wrote to memory of 2428	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	csc.exe
PID 4068 wrote to memory of 2428	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	csc.exe
PID 4068 wrote to memory of 2428	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	csc.exe
PID 2428 wrote to memory of 2744	2428	csc.exe	cvtres.exe
PID 2428 wrote to memory of 2744	2428	csc.exe	cvtres.exe
PID 2428 wrote to memory of 2744	2428	csc.exe	cvtres.exe
PID 4068 wrote to memory of 4628	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 4068 wrote to memory of 4628	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 4068 wrote to memory of 4628	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 4068 wrote to memory of 4628	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 4068 wrote to memory of 4628	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 4068 wrote to memory of 4628	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 4068 wrote to memory of 4628	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 4068 wrote to memory of 4628	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 4068 wrote to memory of 4628	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe
PID 4068 wrote to memory of 4628	4068	464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe
"C:\Users\Admin\AppData\Local\Temp\464090c0450eb10c9fe81bbbba947a19454c0bce7ef6652ad8c4935b70ffc91e.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kim4bkeb\kim4bkeb.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES608F.tmp" "c:\Users\Admin\AppData\Local\Temp\kim4bkeb\CSC413B7884E3C449B3BDB51E5B9C58F44C.TMP"
3⤵
PID:2744

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:4628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES608F.tmp

Filesize
1KB

MD5
ee21afa01e24c7fbdafbe005d987eeba

SHA1
3d10de9508b6ac9a7032eb49e8bf02bb09a95fd2

SHA256
c8af76f3334f914dbb2233ba1b532c40f3b96bec6280c4ac37f0de2e0d4a8dfc

SHA512
3f0d9a2a7a769265e260e7d73ff923d11d0a6f4786cf0a1f841cf3fe6bd609dd13ff222e2dce265f252343803a9efe7a49e12afd69db43264ec4354caf6c2ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kim4bkeb\kim4bkeb.dll

Filesize
9KB

MD5
27b595d5200a8cc9accf1ec75e3c941b

SHA1
964dd49a47fd21ca24e6034ce45cec81474fb698

SHA256
2dbac7e29b5159c1c60eacb3faa2d723a683c8713f5daa4edbcb44194dfc0c70

SHA512
41601f1566f3328bbc09052cfc692e9b37d29a92ff2cde695d02a5ac6e81dd9eb72d1df33b98e98518c95efd6bceb224ccfc78633eb4e86eab16dfd1d4e0e45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kim4bkeb\kim4bkeb.pdb

Filesize
31KB

MD5
ed734ea6f8f8cd07b43b7de2c32b0df0

SHA1
377e8641959d471ef0adb5c8e4f37f477ee3a7c2

SHA256
219e7563f52bc4e6ea89810895bde2405da231279ffeb7c2757a68fa9d4c7044

SHA512
154683e5be47796f7555429eb657e455e8b4081861b7e500555fef47f2a8f57cd3952e856fe8b6bb619b01a16cad8e24ba767e7f35a469f340aa6ebeb034b745

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kim4bkeb\CSC413B7884E3C449B3BDB51E5B9C58F44C.TMP

Filesize
1KB

MD5
c2dd5cbdf8e07a8fde79983144fba5be

SHA1
d97cf6a3a8121e9117a62a49967e6fdbbcbaa5da

SHA256
8eab90dbfddcc90d6f8bcc9be71d227e765dd9cf4d20d9cb788ca9deb7c4a2c1

SHA512
096fd2cf5da2baf6dc0ae30ee391833fd746e80f203c122bbb3127070e8bb122545e9d8ca5ca6c2f4d2726d51cab24eae0aa2e63134cf04481e837ec4452ccb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kim4bkeb\kim4bkeb.0.cs

Filesize
13KB

MD5
6910754f2c7780cf3f320f594bd8e6a6

SHA1
eb302a9faa20e15ad3c72a741d4f2462993564ba

SHA256
1fe2d37a4ad8dd97c6b13d1dbf42fe159246af69c2643d19813757e8e01d63ce

SHA512
4da8ac21dc91d7b6a132787646db24407404eb9b901c1c8cf4ba13d5086d6657244c42a342b6af962c5d05470d1a2519dec924bfcbc1459450207b5f054ece82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kim4bkeb\kim4bkeb.cmdline

Filesize
312B

MD5
4884acfe565589da27596da3ba2a2aee

SHA1
9a7435c7cc9ebf90e1651b5115ece8a760d8d214

SHA256
1d030c5cf13fa7d1523c582dcdc5f2f6a1127326f981bee827ee80cb486d5f8f

SHA512
e572af7d908eb58af1db316c572332d43b69fec539d4e951cfbe3fa849bc8f13ad575aa217347335a162e440c567a810a7275fafcc992a646002d0127fb20422

Download Submit
memory/2428-131-0x0000000000000000-mapping.dmp

Download
memory/2744-134-0x0000000000000000-mapping.dmp

Download
memory/4068-130-0x0000000000890000-0x00000000008C8000-memory.dmp

Filesize
224KB

Download
memory/4068-139-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/4068-140-0x0000000005970000-0x0000000005A0C000-memory.dmp

Filesize
624KB

Download
memory/4628-141-0x0000000000000000-mapping.dmp

Download
memory/4628-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4628-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4628-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads