netwire | 4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1

General

Target

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe
Size

166KB
MD5

97a4a5fa687287e4f0bd3c7e6dc504b7
SHA1

a2b25810dfe7f9df70980208feb9cf30393f8812
SHA256

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1
SHA512

c5f83d5234e4ce73fd8e019b43eab89f00d1a92672d28438cf99d844fd605a112bb02f149fe460c5d885430a9caff6bbf9195e4fba6b53faf1ed176367bd22c8

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5068-143-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/5068-145-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/5068-146-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgxmvk.url	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

description	pid	process	target process
PID 4744 set thread context of 5068	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

pid	process
4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe
4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

description pid process

Token: SeDebugPrivilege 4744 4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

description	pid	process
Token: SeDebugPrivilege	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.execsc.exe

description	pid	process	target process
PID 4744 wrote to memory of 4940	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	csc.exe
PID 4744 wrote to memory of 4940	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	csc.exe
PID 4744 wrote to memory of 4940	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	csc.exe
PID 4940 wrote to memory of 5096	4940	csc.exe	cvtres.exe
PID 4940 wrote to memory of 5096	4940	csc.exe	cvtres.exe
PID 4940 wrote to memory of 5096	4940	csc.exe	cvtres.exe
PID 4744 wrote to memory of 5068	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 4744 wrote to memory of 5068	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 4744 wrote to memory of 5068	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 4744 wrote to memory of 5068	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 4744 wrote to memory of 5068	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 4744 wrote to memory of 5068	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 4744 wrote to memory of 5068	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 4744 wrote to memory of 5068	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 4744 wrote to memory of 5068	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe
PID 4744 wrote to memory of 5068	4744	4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe
"C:\Users\Admin\AppData\Local\Temp\4a30b0537dda3caf4d48fc11b73e4b1141ab3c762fa8c10e63944e1dd42c73c1.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rty0yos2\rty0yos2.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2913.tmp" "c:\Users\Admin\AppData\Local\Temp\rty0yos2\CSC3B908E4E804E45038AEE3CFEB8DEB434.TMP"
3⤵
PID:5096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:5068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2913.tmp

Filesize
1KB

MD5
9305ce8fae4f50fa22516f64a0f7ecbb

SHA1
216a469de96265f5850747fe47a7ab9b0da20bbd

SHA256
f251e44949e710836a45b3004b37984d64a8ebe400e0c5631a6c0c013ef81956

SHA512
90c30c1fb392a8a8dcc13cf26850d96774b6bac5c7e3d6fc3a0bce4335c9a5998bd3d4195ac4cfbcf7eeb208899dd66515ab07e0bedee8fc788c22821c201d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty0yos2\rty0yos2.dll

Filesize
7KB

MD5
5e97ea8098aec07f9cbf3d29b5e26e8f

SHA1
37e8e39cf8bbdfa533cde6c4510c781c3b344790

SHA256
6a19c11d6bdfbc23a2d6841a7a5d3a769fad3476bb05a99aea213d79ef54f65d

SHA512
cfcc76dfce5e7c09aecf8aa6e3b51cfdc5b86c3609974fc30b17cf9d564c18c512dc26dd03e8ebb60e0d8ed22b2438e1741e6e54325759434bdc57f3bd1d5f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty0yos2\rty0yos2.pdb

Filesize
21KB

MD5
73effced44edef7925f32ae01af24d76

SHA1
1b6e4fecfdb5a41a909e38d400fcaf3c166e14cc

SHA256
2d7faa6bbb4c4bd47ab6ac84774099692cb1ae534a80766243fca83263896469

SHA512
f27133ac926e52e970c97de87f2fd347db282e975ef583a345a8891d9a65be9f063440e0139a1bc71b88719f0314da01690222de47369c60febcfcd51e09690a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rty0yos2\CSC3B908E4E804E45038AEE3CFEB8DEB434.TMP

Filesize
1KB

MD5
3f787acc42f8a558a54a44fb1dc48953

SHA1
84cb04e2c481573df6d529c42a9b62007218714e

SHA256
eb6d04b4a09f8f3d1a76ee17389e662549c1ec94db45377429deb54cde00971e

SHA512
af3c2d0046556ed9f85d9fead614d3b7ac1a01827c3b8b44ab4c331b95736dd2107d5c34fa8a433e7b43f939fc853ff41bf4a9ef606642095af420b0f9bc649b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rty0yos2\rty0yos2.0.cs

Filesize
4KB

MD5
a2edc74f7bd6285c989957146662b39c

SHA1
652567d62d441cca24d87c3028fd2278713a12c9

SHA256
26e63b4bd39c0f7c5e1dade42729653face8c65f044d2fd68a78ffab5f9dc257

SHA512
f46d7f362ddbfbb8ae11600c5241c3e418aaa6c0c5098f89465082d3fd3d6e80ad84a965ba268446d460e4481aa16fd0381272f8991e4e6e50bdce2e7475204f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rty0yos2\rty0yos2.cmdline

Filesize
312B

MD5
6ceba4859e1feec6cde28ec77daf1c45

SHA1
f1439f09c6d11cf9f1b7889b6bd12d8dbc24cd1b

SHA256
b33a031e594d2ab65712e4a3b09af547915b9162ca92a5603260b672d0af694a

SHA512
5ee11fc9b1d0a9cad5566eec9997eed7cd69e626560a02be4dcd481aed6560eb503ffca9c6db20588b3ab2fc9c13b8c4c3c9b1c42068ae32226ccdcb779f7b2a

Download Submit
memory/4744-131-0x00000000002B0000-0x00000000002E0000-memory.dmp

Filesize
192KB

Download
memory/4744-140-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/4744-141-0x00000000053D0000-0x000000000546C000-memory.dmp

Filesize
624KB

Download
memory/4940-132-0x0000000000000000-mapping.dmp

Download
memory/5068-142-0x0000000000000000-mapping.dmp

Download
memory/5068-143-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5068-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5068-146-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5096-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads