netwire | 50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301

General

Target

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe
Size

182KB
MD5

67e4fd83de43eaf93e7c9faf77c36f78
SHA1

bbeddca7949e44d92a6207a31a29f41cca462ba0
SHA256

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301
SHA512

42684195a35b81fb1b4f6d8266a9568c768b3c0c64ef660cf9807bff2d0c853ab8755e7f7e79135c67ebb37c253e9e104218de97e86431d380ff1321d497ce62

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3284-142-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3284-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3284-145-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

description	pid	process	target process
PID 3536 set thread context of 3284	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

pid	process
3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe
3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

description pid process

Token: SeDebugPrivilege 3536 50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

description	pid	process
Token: SeDebugPrivilege	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.execsc.exe

description	pid	process	target process
PID 3536 wrote to memory of 3480	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	csc.exe
PID 3536 wrote to memory of 3480	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	csc.exe
PID 3536 wrote to memory of 3480	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	csc.exe
PID 3480 wrote to memory of 4428	3480	csc.exe	cvtres.exe
PID 3480 wrote to memory of 4428	3480	csc.exe	cvtres.exe
PID 3480 wrote to memory of 4428	3480	csc.exe	cvtres.exe
PID 3536 wrote to memory of 3284	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 3536 wrote to memory of 3284	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 3536 wrote to memory of 3284	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 3536 wrote to memory of 3284	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 3536 wrote to memory of 3284	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 3536 wrote to memory of 3284	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 3536 wrote to memory of 3284	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 3536 wrote to memory of 3284	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 3536 wrote to memory of 3284	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe
PID 3536 wrote to memory of 3284	3536	50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe
"C:\Users\Admin\AppData\Local\Temp\50cc4cd83fa92569a30723236b3c68320fd1bdb90b1dd3e4a162817200849301.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ho23trdu\ho23trdu.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES860D.tmp" "c:\Users\Admin\AppData\Local\Temp\ho23trdu\CSC5F5C0631C0C246DFAFF5BF51EF2A3E8E.TMP"
3⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:3284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES860D.tmp

Filesize
1KB

MD5
6abe6783727c7844a5d4fc37dc3458a9

SHA1
4f4db56d63121dd9ca06c636beea33b46abae5df

SHA256
d781a0047e9d5287bbafd3ac6afccbc3940ef2966064ed3db1096da0c6e65fd8

SHA512
84ddde3080dd2cba3c36b800af831381a784654f6dcdb49f83f4c673f15ce9e3edd1e3684c8deac1e6e1723d3d66b06a12c421b31f22a0ef4217dd5950edaf9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ho23trdu\ho23trdu.dll

Filesize
7KB

MD5
1a5f2150cb5591bee0e1d3b9773af5bc

SHA1
2227bb371a4ddb0ddf4ff4335e718304f28c69ac

SHA256
e14a610b810acd4c3c9150c341314aa6805b5e339ad793acd78a32c48db0200c

SHA512
72a1bdd49689eaafeb3f523b3a439ed6e455e50dee93f4ca74e0121ffd05db9ba1b2b300712327be1d23e16c2b446c877274519ae116098d41bec00c2491cb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ho23trdu\ho23trdu.pdb

Filesize
23KB

MD5
ebca6b072dc91f84cda4e4f266537843

SHA1
34bc408fa1b0f998f5d087ea14de3d1d36786265

SHA256
db583c87ffbc98f1d8520a510b36b631464559a96aa8d11804e649c74b977f42

SHA512
aa63660dffd8de8dca943d92f2af0e9053639d04feb157f49b198ba3a8036936909dbaeca003cc7fa6e98cf7e222d55f72c10eb2f78290115f9670824ab2067f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ho23trdu\CSC5F5C0631C0C246DFAFF5BF51EF2A3E8E.TMP

Filesize
1KB

MD5
d5887fe88335a82530461254f0ac846b

SHA1
99c431578ddc2418d66806755f89ed400049d290

SHA256
684cdfd42fabae910072d48e629b61fb0886c4bd5ca26eaa6eb57c9f6631c8b1

SHA512
eaa47510b3574fbb70c84315697c343127c9109f0f20a22586afabcfdabcebc5f574c8c8b10aa508258440647a2c5e74f5a7fd93506a5768d670ec126e194e97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ho23trdu\ho23trdu.0.cs

Filesize
5KB

MD5
b4d1dc91816b18e6610800374dfe2564

SHA1
934b6ff43c153fda227a663c26be5ff602d44dd9

SHA256
99b937a2167ba8bad6a2bb5c9574059d78b4f43b28eeab294b98a5f27928bf56

SHA512
73c9da27ec899e4eefa1024b720db528b143c21017c328adee19262ad9a5397f3635f8c9d05a3a7d1685253df2c4365c775763fc30a04fc2d826b8a7c2ce2136

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ho23trdu\ho23trdu.cmdline

Filesize
312B

MD5
5eee8222654af5c26cae38e9494d5527

SHA1
f02a289ad8aacc7bb4b027293a1f4ddc181f729a

SHA256
edba7db8f3ffaebb45c72a66050c81c2d87430c8d567a154a274bd4bf4463785

SHA512
a298fc1267249ac55e90a1a99291670fbae7c858ef1433c7334ed48b9eddb0242b75afbaf8f282d4676183ee3ba9af83e9c91fdc721848a90e655bf78815af9e

Download Submit
memory/3284-141-0x0000000000000000-mapping.dmp

Download
memory/3284-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3284-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3284-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3480-131-0x0000000000000000-mapping.dmp

Download
memory/3536-130-0x0000000000E90000-0x0000000000EC4000-memory.dmp

Filesize
208KB

Download
memory/3536-139-0x00000000058E0000-0x0000000005972000-memory.dmp

Filesize
584KB

Download
memory/3536-140-0x0000000005FC0000-0x000000000605C000-memory.dmp

Filesize
624KB

Download
memory/4428-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads