netwire | b0183d2016f99466eb45c654e9dc8e53bd4b90df2512acf3c526bdf65b372ba5

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2022 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.exe
Size

1.3MB
MD5

60b5c421004716c14a35409cc5acfaa0
SHA1

ac30ce5aa690a19dd3637156582a6ecd5e257e10
SHA256

b0183d2016f99466eb45c654e9dc8e53bd4b90df2512acf3c526bdf65b372ba5
SHA512

4502ae4d1c54642465141e29424162d49b4c616566111a1a2fac9c90f4a739c09e776d2ce4668d3b54e7ab8acb076ea7cdce2a8ce1ab987ee07edf55639de60d

Score

10^/10

netwire warzonerat botnet infostealer rat stealer

Malware Config

Extracted

Family

netwire

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

wealth.warzonedns.com:5202

Signatures

NetWire RAT payload 12 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Blasthost.exe	netwire
C:\Users\Admin\AppData\Roaming\Blasthost.exe	netwire
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	netwire
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	netwire
C:\Users\Admin\AppData\Roaming\Blasthost.exe	netwire
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	netwire
C:\Users\Admin\AppData\Roaming\Blasthost.exe	netwire
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	netwire
C:\Users\Admin\AppData\Roaming\Blasthost.exe	netwire
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2228-145-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/2228-137-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral2/memory/2324-172-0x00000000003D0000-0x00000000003ED000-memory.dmp	warzonerat
behavioral2/memory/2324-181-0x00000000003D0000-0x00000000003ED000-memory.dmp	warzonerat

Executes dropped EXE 8 IoCs

Processes:

Blasthost.exeHost.exeRtDCpl64.exeBlasthost.exeRtDCpl64.exeRtDCpl64.exeBlasthost.exeRtDCpl64.exe

pid process

1944 Blasthost.exe
3856 Host.exe
1968 RtDCpl64.exe
5040 Blasthost.exe
2000 RtDCpl64.exe
3412 RtDCpl64.exe
3976 Blasthost.exe
2324 RtDCpl64.exe

pid	process
1944	Blasthost.exe
3856	Host.exe
1968	RtDCpl64.exe
5040	Blasthost.exe
2000	RtDCpl64.exe
3412	RtDCpl64.exe
3976	Blasthost.exe
2324	RtDCpl64.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

virussign.exeRtDCpl64.exeRtDCpl64.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	virussign.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RtDCpl64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	RtDCpl64.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

virussign.exeRtDCpl64.exeRtDCpl64.exe

description	pid	process	target process
PID 3420 set thread context of 2228	3420	virussign.exe	virussign.exe
PID 1968 set thread context of 2000	1968	RtDCpl64.exe	RtDCpl64.exe
PID 3412 set thread context of 2324	3412	RtDCpl64.exe	RtDCpl64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2768 schtasks.exe
1552 schtasks.exe
1048 schtasks.exe

pid	process
2768	schtasks.exe
1552	schtasks.exe
1048	schtasks.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

virussign.exeBlasthost.exevirussign.exeRtDCpl64.exeRtDCpl64.exeRtDCpl64.exeRtDCpl64.exe

description	pid	process	target process
PID 3420 wrote to memory of 1944	3420	virussign.exe	Blasthost.exe
PID 3420 wrote to memory of 1944	3420	virussign.exe	Blasthost.exe
PID 3420 wrote to memory of 1944	3420	virussign.exe	Blasthost.exe
PID 1944 wrote to memory of 3856	1944	Blasthost.exe	Host.exe
PID 1944 wrote to memory of 3856	1944	Blasthost.exe	Host.exe
PID 1944 wrote to memory of 3856	1944	Blasthost.exe	Host.exe
PID 3420 wrote to memory of 2228	3420	virussign.exe	virussign.exe
PID 3420 wrote to memory of 2228	3420	virussign.exe	virussign.exe
PID 3420 wrote to memory of 2228	3420	virussign.exe	virussign.exe
PID 3420 wrote to memory of 2228	3420	virussign.exe	virussign.exe
PID 3420 wrote to memory of 2228	3420	virussign.exe	virussign.exe
PID 2228 wrote to memory of 3740	2228	virussign.exe	cmd.exe
PID 2228 wrote to memory of 3740	2228	virussign.exe	cmd.exe
PID 2228 wrote to memory of 3740	2228	virussign.exe	cmd.exe
PID 3420 wrote to memory of 2768	3420	virussign.exe	schtasks.exe
PID 3420 wrote to memory of 2768	3420	virussign.exe	schtasks.exe
PID 3420 wrote to memory of 2768	3420	virussign.exe	schtasks.exe
PID 2228 wrote to memory of 3740	2228	virussign.exe	cmd.exe
PID 2228 wrote to memory of 3740	2228	virussign.exe	cmd.exe
PID 1968 wrote to memory of 5040	1968	RtDCpl64.exe	Blasthost.exe
PID 1968 wrote to memory of 5040	1968	RtDCpl64.exe	Blasthost.exe
PID 1968 wrote to memory of 5040	1968	RtDCpl64.exe	Blasthost.exe
PID 1968 wrote to memory of 2000	1968	RtDCpl64.exe	RtDCpl64.exe
PID 1968 wrote to memory of 2000	1968	RtDCpl64.exe	RtDCpl64.exe
PID 1968 wrote to memory of 2000	1968	RtDCpl64.exe	RtDCpl64.exe
PID 1968 wrote to memory of 2000	1968	RtDCpl64.exe	RtDCpl64.exe
PID 1968 wrote to memory of 2000	1968	RtDCpl64.exe	RtDCpl64.exe
PID 2000 wrote to memory of 3588	2000	RtDCpl64.exe	cmd.exe
PID 2000 wrote to memory of 3588	2000	RtDCpl64.exe	cmd.exe
PID 2000 wrote to memory of 3588	2000	RtDCpl64.exe	cmd.exe
PID 1968 wrote to memory of 1552	1968	RtDCpl64.exe	schtasks.exe
PID 1968 wrote to memory of 1552	1968	RtDCpl64.exe	schtasks.exe
PID 1968 wrote to memory of 1552	1968	RtDCpl64.exe	schtasks.exe
PID 2000 wrote to memory of 3588	2000	RtDCpl64.exe	cmd.exe
PID 2000 wrote to memory of 3588	2000	RtDCpl64.exe	cmd.exe
PID 3412 wrote to memory of 3976	3412	RtDCpl64.exe	Blasthost.exe
PID 3412 wrote to memory of 3976	3412	RtDCpl64.exe	Blasthost.exe
PID 3412 wrote to memory of 3976	3412	RtDCpl64.exe	Blasthost.exe
PID 3412 wrote to memory of 2324	3412	RtDCpl64.exe	RtDCpl64.exe
PID 3412 wrote to memory of 2324	3412	RtDCpl64.exe	RtDCpl64.exe
PID 3412 wrote to memory of 2324	3412	RtDCpl64.exe	RtDCpl64.exe
PID 3412 wrote to memory of 2324	3412	RtDCpl64.exe	RtDCpl64.exe
PID 3412 wrote to memory of 2324	3412	RtDCpl64.exe	RtDCpl64.exe
PID 2324 wrote to memory of 2052	2324	RtDCpl64.exe	cmd.exe
PID 2324 wrote to memory of 2052	2324	RtDCpl64.exe	cmd.exe
PID 2324 wrote to memory of 2052	2324	RtDCpl64.exe	cmd.exe
PID 3412 wrote to memory of 1048	3412	RtDCpl64.exe	schtasks.exe
PID 3412 wrote to memory of 1048	3412	RtDCpl64.exe	schtasks.exe
PID 3412 wrote to memory of 1048	3412	RtDCpl64.exe	schtasks.exe
PID 2324 wrote to memory of 2052	2324	RtDCpl64.exe	cmd.exe
PID 2324 wrote to memory of 2052	2324	RtDCpl64.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\virussign.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
3⤵
- Executes dropped EXE
PID:3856

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:2768

C:\Users\Admin\AppData\Local\Temp\virussign.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:3740

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
2⤵
- Executes dropped EXE
PID:5040

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3588

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:1552

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3412

C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
2⤵
- Executes dropped EXE
PID:3976

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2052

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.3MB

MD5
b93a448017dc382b5b99d982e79d33f2

SHA1
16d1a302bb3147d5fb98f233867cb56fbe9d1702

SHA256
aacced5e7cd7bf7301729cc70125f9076d6223be6f513485d8662962d2c3267c

SHA512
0146511e2f484403fc4e4de7469bc3a5f928bc2e06655db575c70f75f0bd65865b46633e578e5e12b3e29d36af0acef5d3a6b56d739a5a45ddac31bd1246ba65

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.3MB

MD5
b93a448017dc382b5b99d982e79d33f2

SHA1
16d1a302bb3147d5fb98f233867cb56fbe9d1702

SHA256
aacced5e7cd7bf7301729cc70125f9076d6223be6f513485d8662962d2c3267c

SHA512
0146511e2f484403fc4e4de7469bc3a5f928bc2e06655db575c70f75f0bd65865b46633e578e5e12b3e29d36af0acef5d3a6b56d739a5a45ddac31bd1246ba65

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.3MB

MD5
b93a448017dc382b5b99d982e79d33f2

SHA1
16d1a302bb3147d5fb98f233867cb56fbe9d1702

SHA256
aacced5e7cd7bf7301729cc70125f9076d6223be6f513485d8662962d2c3267c

SHA512
0146511e2f484403fc4e4de7469bc3a5f928bc2e06655db575c70f75f0bd65865b46633e578e5e12b3e29d36af0acef5d3a6b56d739a5a45ddac31bd1246ba65

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.3MB

MD5
b93a448017dc382b5b99d982e79d33f2

SHA1
16d1a302bb3147d5fb98f233867cb56fbe9d1702

SHA256
aacced5e7cd7bf7301729cc70125f9076d6223be6f513485d8662962d2c3267c

SHA512
0146511e2f484403fc4e4de7469bc3a5f928bc2e06655db575c70f75f0bd65865b46633e578e5e12b3e29d36af0acef5d3a6b56d739a5a45ddac31bd1246ba65

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.3MB

MD5
b93a448017dc382b5b99d982e79d33f2

SHA1
16d1a302bb3147d5fb98f233867cb56fbe9d1702

SHA256
aacced5e7cd7bf7301729cc70125f9076d6223be6f513485d8662962d2c3267c

SHA512
0146511e2f484403fc4e4de7469bc3a5f928bc2e06655db575c70f75f0bd65865b46633e578e5e12b3e29d36af0acef5d3a6b56d739a5a45ddac31bd1246ba65

Download Submit
memory/1048-183-0x0000000000000000-mapping.dmp

Download
memory/1552-165-0x0000000000000000-mapping.dmp

Download
memory/1944-130-0x0000000000000000-mapping.dmp

Download
memory/2000-153-0x0000000000000000-mapping.dmp

Download
memory/2052-182-0x0000000000000000-mapping.dmp

Download
memory/2052-184-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/2228-137-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2228-145-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2228-136-0x0000000000000000-mapping.dmp

Download
memory/2324-181-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/2324-172-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/2324-171-0x0000000000000000-mapping.dmp

Download
memory/2768-147-0x0000000000000000-mapping.dmp

Download
memory/3588-166-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3588-164-0x0000000000000000-mapping.dmp

Download
memory/3740-146-0x0000000000000000-mapping.dmp

Download
memory/3740-148-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3856-133-0x0000000000000000-mapping.dmp

Download
memory/3976-169-0x0000000000000000-mapping.dmp

Download
memory/5040-151-0x0000000000000000-mapping.dmp

Download