netwire | 50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301

General

Target

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe
Size

182KB
MD5

67e4fd83de43eaf93e7c9faf77c36f78
SHA1

bbeddca7949e44d92a6207a31a29f41cca462ba0
SHA256

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301
SHA512

42684195a35b81fb1b4f6d8266a9568c768b3c0c64ef660cf9807bff2d0c853ab8755e7f7e79135c67ebb37c253e9e104218de97e86431d380ff1321d497ce62

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1592-67-0x0000000000660000-0x000000000068C000-memory.dmp	netwire
behavioral1/memory/1120-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1120-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1120-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1120-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1120-78-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1120-81-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1120-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

description	pid	process	target process
PID 1592 set thread context of 1120	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

pid	process
1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe
1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

description pid process

Token: SeDebugPrivilege 1592 50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

description	pid	process
Token: SeDebugPrivilege	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.execsc.exe

description	pid	process	target process
PID 1592 wrote to memory of 960	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	csc.exe
PID 1592 wrote to memory of 960	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	csc.exe
PID 1592 wrote to memory of 960	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	csc.exe
PID 1592 wrote to memory of 960	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	csc.exe
PID 960 wrote to memory of 924	960	csc.exe	cvtres.exe
PID 960 wrote to memory of 924	960	csc.exe	cvtres.exe
PID 960 wrote to memory of 924	960	csc.exe	cvtres.exe
PID 960 wrote to memory of 924	960	csc.exe	cvtres.exe
PID 1592 wrote to memory of 1120	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 1592 wrote to memory of 1120	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 1592 wrote to memory of 1120	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 1592 wrote to memory of 1120	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 1592 wrote to memory of 1120	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 1592 wrote to memory of 1120	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 1592 wrote to memory of 1120	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 1592 wrote to memory of 1120	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 1592 wrote to memory of 1120	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 1592 wrote to memory of 1120	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 1592 wrote to memory of 1120	1592	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe
"C:\Users\Admin\AppData\Local\Temp\50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qh2zppzf\qh2zppzf.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFECA.tmp" "c:\Users\Admin\AppData\Local\Temp\qh2zppzf\CSC1E983C5DF9FB4DE8A6F17D1FA7A29CD.TMP"
3⤵
PID:924

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFECA.tmp

Filesize
1KB

MD5
b066c58282822102ce437a37a07380bc

SHA1
9a74058313dc57d0c12a22bee0189ed0a3c13766

SHA256
83108f0ea1c710f09cdc48c29a98512493b1a1664e7f7357a1b967a7f6de0e47

SHA512
0a11d4ae78f1a0fedc0990601b3ca5448f656040a3249c00211de838d0889f9c57d2cb71c7480b4f55417c3e51d6d9dce2c348345c861cb6410136edbb78a848

Download Submit
C:\Users\Admin\AppData\Local\Temp\qh2zppzf\qh2zppzf.dll

Filesize
7KB

MD5
3a4c4a747fadfcd0049e501b5f55da7e

SHA1
76e57210b37f19b3015fef895e526361f480cbd3

SHA256
17980f7a2d3ec3a653ecc04e5230f7ed0a56ebc597a5ecb179a1d1c306b430e1

SHA512
4e2c76d0f2ebe87ecd6b7979768438388799be5a846c20191fb7f6c3dc68b3e4ef485f8d9ff9ca10081322372cc46fcbbd1b106c6d966135cd5a2de0efec204b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qh2zppzf\qh2zppzf.pdb

Filesize
23KB

MD5
ee7165ae43d64d619ce3e9ace9c6bc75

SHA1
7c680c45ae6d10e3a590677d1e7e34a430857b0d

SHA256
5f47d08f0690a29c83fe28d7307d61bc6ddeb45665f6179a0ad61c767ac47d84

SHA512
3e0f9fef27408a6756f222008bc65eb2738b87bac346731570664833901b9d3d5baa8235524241dff8c49a9f39838abe1ab23873ef2bba53cb27d9cc467dbc49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qh2zppzf\CSC1E983C5DF9FB4DE8A6F17D1FA7A29CD.TMP

Filesize
1KB

MD5
a5c02e72cb36a4015b2a4cfc856b84da

SHA1
9eba7b52b5678a5c18471ae55cc8c580943a6e51

SHA256
10451d284d699f17968b72054d0aaa25fc008b528aa9b76de03a9d4e6d81ebe7

SHA512
1a4fad7ef0acb39449abaf0384bc60d8db3fcafe9c420b644f3c6e941e36d66769eb5626bb6fdea25edd82bc68ec76c93c4c590766c8938e0a98e6d75144066f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qh2zppzf\qh2zppzf.0.cs

Filesize
5KB

MD5
b4d1dc91816b18e6610800374dfe2564

SHA1
934b6ff43c153fda227a663c26be5ff602d44dd9

SHA256
99b937a2167ba8bad6a2bb5c9574059d78b4f43b28eeab294b98a5f27928bf56

SHA512
73c9da27ec899e4eefa1024b720db528b143c21017c328adee19262ad9a5397f3635f8c9d05a3a7d1685253df2c4365c775763fc30a04fc2d826b8a7c2ce2136

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qh2zppzf\qh2zppzf.cmdline

Filesize
312B

MD5
778b8eb7421b834fa567e573918477d9

SHA1
b7104b876f7741b4d2b1022542da14c973290571

SHA256
42f8a566f374c15f992ffe2e3418414c58c7a9d642f2782c42801667de89918a

SHA512
e725299f8a26b2b19710ec9b664756f0a2534585ba44404f995f76e313c915a8c6c273a4b5f01efe4fa0eb9e6b779862fd5aa9c057f5fd94fbfc41d8e3220c82

Download Submit
memory/924-58-0x0000000000000000-mapping.dmp

Download
memory/960-55-0x0000000000000000-mapping.dmp

Download
memory/1120-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1120-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1120-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1120-81-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1120-78-0x0000000000402BCB-mapping.dmp

Download
memory/1120-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1120-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1120-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1120-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1120-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1592-66-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1592-54-0x0000000001110000-0x0000000001144000-memory.dmp

Filesize
208KB

Download
memory/1592-67-0x0000000000660000-0x000000000068C000-memory.dmp

Filesize
176KB

Download
memory/1592-63-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/1592-65-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1592-64-0x0000000000610000-0x0000000000642000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads