netwire | 4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1

General

Target

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe
Size

166KB
MD5

97a4a5fa687287e4f0bd3c7e6dc504b7
SHA1

a2b25810dfe7f9df70980208feb9cf30393f8812
SHA256

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1
SHA512

c5f83d5234e4ce73fd8e019b43eab89f00d1a92672d28438cf99d844fd605a112bb02f149fe460c5d885430a9caff6bbf9195e4fba6b53faf1ed176367bd22c8

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1808-67-0x0000000000630000-0x000000000065C000-memory.dmp	netwire
behavioral1/memory/1280-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1280-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1280-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1280-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1280-78-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1280-81-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1280-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgxmvk.url	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

description	pid	process	target process
PID 1808 set thread context of 1280	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

pid	process
1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe
1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

description pid process

Token: SeDebugPrivilege 1808 4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

description	pid	process
Token: SeDebugPrivilege	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.execsc.exe

description	pid	process	target process
PID 1808 wrote to memory of 1760	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	csc.exe
PID 1808 wrote to memory of 1760	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	csc.exe
PID 1808 wrote to memory of 1760	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	csc.exe
PID 1808 wrote to memory of 1760	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	csc.exe
PID 1760 wrote to memory of 2024	1760	csc.exe	cvtres.exe
PID 1760 wrote to memory of 2024	1760	csc.exe	cvtres.exe
PID 1760 wrote to memory of 2024	1760	csc.exe	cvtres.exe
PID 1760 wrote to memory of 2024	1760	csc.exe	cvtres.exe
PID 1808 wrote to memory of 1280	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 1808 wrote to memory of 1280	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 1808 wrote to memory of 1280	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 1808 wrote to memory of 1280	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 1808 wrote to memory of 1280	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 1808 wrote to memory of 1280	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 1808 wrote to memory of 1280	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 1808 wrote to memory of 1280	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 1808 wrote to memory of 1280	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 1808 wrote to memory of 1280	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 1808 wrote to memory of 1280	1808	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe
"C:\Users\Admin\AppData\Local\Temp\4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vncq0k0w\vncq0k0w.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A84.tmp" "c:\Users\Admin\AppData\Local\Temp\vncq0k0w\CSCEE97C37BE90B4AECAA4BD6C68CD7647B.TMP"
3⤵
PID:2024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES1A84.tmp

Filesize
1KB

MD5
1724243ce2f2907ae458bf29b9b2d09b

SHA1
4f35d8c92a8d4acf7d5479e31cf10a23dce02da8

SHA256
9777a2c44193e4a793c664ef811d4c8f4412b050aed7cd639797eb282206143b

SHA512
8b80597ebef4411271701501b9024dfa5e56b373391d7b96af6e18f218dbce63b8e38bd5122e110d131d537e750a628d1e11c8cd5ef9fbaed59cd0697c917d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\vncq0k0w\vncq0k0w.dll

Filesize
7KB

MD5
45fcdc70c54b1bb86e46d644a551d3d0

SHA1
92f69cd938a3db920607efaa38d4a59ec21a851c

SHA256
dc27503b70ede898e99ff8fa8057f154e31d807d5910cece1c45c710cbd17d11

SHA512
080f7880653be5cfaa268a46943bb8b1b3ac118dd2bd2276f4176965df0f0806c591a8ffd9bb42253e50d2f16ef782553092002fcaa7f368571e6e623cfdd6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vncq0k0w\vncq0k0w.pdb

Filesize
21KB

MD5
81becf56551f65faf1504ca5cd0ace9a

SHA1
15ccdf0491e548bc7638e5bee59cdb445d80910d

SHA256
6ee702a553c86c4e7ef096dc5f2e1c889bce4215ae95c6d255fea284af3aa248

SHA512
67202166b27d5396b0fd467eecf088935c44f7837b7ca7a00e1f15ee4d9e4ad4bd80873b74a01dd56d0430d4e19f9cce678a1b7544eca2cdb79b9ca8dc89ed6e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vncq0k0w\CSCEE97C37BE90B4AECAA4BD6C68CD7647B.TMP

Filesize
1KB

MD5
07b44682c032c23396c81736f3341717

SHA1
219d81cf109431dab4423a506b6d0107d6b711f0

SHA256
71ee0a86cd52e9a6b66aa97aab1f817f15fe9957732cfa38b6d6580940bf8a0b

SHA512
82cd7beea04b28b88a8456affdefc09b23a692430bf290fbea9eab79d53b37baf3b42f7a8e9802169549bf7b3ce0b460a3a779cc4485113ed5d3e9f1e5e8f587

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vncq0k0w\vncq0k0w.0.cs

Filesize
4KB

MD5
a2edc74f7bd6285c989957146662b39c

SHA1
652567d62d441cca24d87c3028fd2278713a12c9

SHA256
26e63b4bd39c0f7c5e1dade42729653face8c65f044d2fd68a78ffab5f9dc257

SHA512
f46d7f362ddbfbb8ae11600c5241c3e418aaa6c0c5098f89465082d3fd3d6e80ad84a965ba268446d460e4481aa16fd0381272f8991e4e6e50bdce2e7475204f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vncq0k0w\vncq0k0w.cmdline

Filesize
312B

MD5
3cfb7c669ac7d7030868c4874454e2bc

SHA1
529e62729e42141cb4838adbb80b5413260d55a4

SHA256
8b60ff5b926f4d1c901baf9d27458bf66031f43dbf91baaa6c706697cf1a5dec

SHA512
91f29b2966c9b1260f1b396de0135c39d01193c1d1606fbc08d298130726c5497d6e87288b32cb81cee8a76720b739438cfeb03ff6398d1a367629810128054f

Download Submit
memory/1280-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1280-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1280-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1280-81-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1280-78-0x0000000000402BCB-mapping.dmp

Download
memory/1280-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1280-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1280-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1280-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1280-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1760-55-0x0000000000000000-mapping.dmp

Download
memory/1808-67-0x0000000000630000-0x000000000065C000-memory.dmp

Filesize
176KB

Download
memory/1808-66-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1808-54-0x0000000001270000-0x00000000012A0000-memory.dmp

Filesize
192KB

Download
memory/1808-65-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1808-64-0x00000000005C0000-0x00000000005F2000-memory.dmp

Filesize
200KB

Download
memory/1808-63-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/2024-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads