netwire | 4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

Analysis

max time kernel
151s
max time network
172s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-07-2022 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe
Size

303KB
MD5

144539a65d10a6ed3df334866028ba79
SHA1

7d74cbaa4552b9468aaf079dab28b2bae29d1ae9
SHA256

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895
SHA512

33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Score

10^/10

netwire agilenet botnet rat stealer

Malware Config

Extracted

Family

netwire

info1.nowddns.com:5552

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
NOW-DNS-5552
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
gqmQdKHu
offline_keylogger
true
password
caster123
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1272-83-0x00000000000C0000-0x00000000000EC000-memory.dmp	netwire
behavioral1/memory/1272-84-0x00000000000C0000-0x00000000000EC000-memory.dmp	netwire
behavioral1/memory/1272-86-0x00000000000C0000-0x00000000000EC000-memory.dmp	netwire
behavioral1/memory/1272-88-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1272-93-0x00000000000C0000-0x00000000000EC000-memory.dmp	netwire
behavioral1/memory/1272-90-0x00000000000C0000-0x00000000000EC000-memory.dmp	netwire
behavioral1/memory/1272-98-0x00000000000C0000-0x00000000000EC000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

app.exeapp.exeapp.exe

pid process

952 app.exe
1152 app.exe
1272 app.exe
Drops startup file 1 IoCs

Processes:

app.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk app.exe
Loads dropped DLL 7 IoCs

Processes:

cmd.exeapp.exeWerFault.exe

pid process

1704 cmd.exe
952 app.exe
1816 WerFault.exe
1816 WerFault.exe
1816 WerFault.exe
1816 WerFault.exe
1816 WerFault.exe

pid	process
952	app.exe
1152	app.exe
1272	app.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk	app.exe

pid	process
1704	cmd.exe
952	app.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe
1816	WerFault.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1152-70-0x00000000003C0000-0x00000000003CC000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

app.exe

description pid process target process

PID 1152 set thread context of 1272 1152 app.exe app.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1816 952 WerFault.exe app.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

app.exe

pid process

952 app.exe

description	pid	process	target process
PID 1152 set thread context of 1272	1152	app.exe	app.exe

pid	pid_target	process	target process
1816	952	WerFault.exe	app.exe

pid	process
952	app.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exeapp.exeapp.exe

description	pid	process
Token: SeDebugPrivilege	1764	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe
Token: 33	1764	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe
Token: SeIncBasePriorityPrivilege	1764	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe
Token: SeDebugPrivilege	952	app.exe
Token: 33	952	app.exe
Token: SeIncBasePriorityPrivilege	952	app.exe
Token: SeDebugPrivilege	1152	app.exe
Token: 33	1152	app.exe
Token: SeIncBasePriorityPrivilege	1152	app.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.execmd.exeapp.exeapp.exe

description	pid	process	target process
PID 1764 wrote to memory of 1616	1764	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 1764 wrote to memory of 1616	1764	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 1764 wrote to memory of 1616	1764	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 1764 wrote to memory of 1616	1764	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 1764 wrote to memory of 1704	1764	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 1764 wrote to memory of 1704	1764	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 1764 wrote to memory of 1704	1764	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 1764 wrote to memory of 1704	1764	4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe	cmd.exe
PID 1704 wrote to memory of 952	1704	cmd.exe	app.exe
PID 1704 wrote to memory of 952	1704	cmd.exe	app.exe
PID 1704 wrote to memory of 952	1704	cmd.exe	app.exe
PID 1704 wrote to memory of 952	1704	cmd.exe	app.exe
PID 952 wrote to memory of 1152	952	app.exe	app.exe
PID 952 wrote to memory of 1152	952	app.exe	app.exe
PID 952 wrote to memory of 1152	952	app.exe	app.exe
PID 952 wrote to memory of 1152	952	app.exe	app.exe
PID 952 wrote to memory of 1816	952	app.exe	WerFault.exe
PID 952 wrote to memory of 1816	952	app.exe	WerFault.exe
PID 952 wrote to memory of 1816	952	app.exe	WerFault.exe
PID 952 wrote to memory of 1816	952	app.exe	WerFault.exe
PID 1152 wrote to memory of 1272	1152	app.exe	app.exe
PID 1152 wrote to memory of 1272	1152	app.exe	app.exe
PID 1152 wrote to memory of 1272	1152	app.exe	app.exe
PID 1152 wrote to memory of 1272	1152	app.exe	app.exe
PID 1152 wrote to memory of 1272	1152	app.exe	app.exe
PID 1152 wrote to memory of 1272	1152	app.exe	app.exe
PID 1152 wrote to memory of 1272	1152	app.exe	app.exe
PID 1152 wrote to memory of 1272	1152	app.exe	app.exe
PID 1152 wrote to memory of 1272	1152	app.exe	app.exe
PID 1152 wrote to memory of 1272	1152	app.exe	app.exe
PID 1152 wrote to memory of 1272	1152	app.exe	app.exe

C:\Users\Admin\AppData\Local\Temp\4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe
"C:\Users\Admin\AppData\Local\Temp\4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe"
2⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe"
5⤵
- Executes dropped EXE
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1508
4⤵
- Loads dropped DLL
- Program crash
PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\app.exe

Filesize
303KB

MD5
144539a65d10a6ed3df334866028ba79

SHA1
7d74cbaa4552b9468aaf079dab28b2bae29d1ae9

SHA256
4114804fd7aebc04caec60731b3282998cca1e276e5f120dce88d46decff1895

SHA512
33802b04f713820d4a19220b3391cde8090a3837a82fff2d23af4d8994998665d87c98195170f68b6856c58d765b96bfd64fa7163ee1cf3882416cb5de8c58e9

Download Submit
memory/952-63-0x0000000000000000-mapping.dmp

Download
memory/952-65-0x0000000000270000-0x00000000002C4000-memory.dmp

Filesize
336KB

Download
memory/952-66-0x00000000004F0000-0x0000000000514000-memory.dmp

Filesize
144KB

Download
memory/1152-70-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1152-67-0x0000000000000000-mapping.dmp

Download
memory/1152-69-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/1272-88-0x0000000000402BCB-mapping.dmp

Download
memory/1272-86-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/1272-98-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/1272-90-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/1272-93-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/1272-78-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/1272-79-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/1272-81-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/1272-83-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/1272-84-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/1616-59-0x0000000000000000-mapping.dmp

Download
memory/1704-60-0x0000000000000000-mapping.dmp

Download
memory/1764-57-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/1764-54-0x0000000001290000-0x00000000012E4000-memory.dmp

Filesize
336KB

Download
memory/1764-56-0x00000000003E0000-0x0000000000404000-memory.dmp

Filesize
144KB

Download
memory/1764-55-0x00000000002F0000-0x000000000031C000-memory.dmp

Filesize
176KB

Download
memory/1764-58-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1816-72-0x0000000000000000-mapping.dmp

Download