netwire | 4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2

General

Target

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe
Size

491KB
MD5

1fc09dd624c462ec94c4e14fff3d0cfc
SHA1

4ec944ff2255fbf6d0519daf04460c7db83e5737
SHA256

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2
SHA512

38272e663a7132dd2ae7dbf0f10a33268caacf1c2827f4e5b26b7cf79fec45226c15c333fe515772e637ef0b4ad4021be0e80f209a1257cb83adae21c376affb

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4500-142-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4500-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4500-145-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4500-146-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

description	pid	process	target process
PID 4372 set thread context of 4500	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

pid	process
4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe
4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

description pid process

Token: SeDebugPrivilege 4372 4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

description	pid	process
Token: SeDebugPrivilege	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.execsc.exe

description	pid	process	target process
PID 4372 wrote to memory of 3804	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	csc.exe
PID 4372 wrote to memory of 3804	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	csc.exe
PID 4372 wrote to memory of 3804	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	csc.exe
PID 3804 wrote to memory of 3176	3804	csc.exe	cvtres.exe
PID 3804 wrote to memory of 3176	3804	csc.exe	cvtres.exe
PID 3804 wrote to memory of 3176	3804	csc.exe	cvtres.exe
PID 4372 wrote to memory of 4500	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 4372 wrote to memory of 4500	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 4372 wrote to memory of 4500	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 4372 wrote to memory of 4500	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 4372 wrote to memory of 4500	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 4372 wrote to memory of 4500	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 4372 wrote to memory of 4500	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 4372 wrote to memory of 4500	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 4372 wrote to memory of 4500	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe
PID 4372 wrote to memory of 4500	4372	4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe
"C:\Users\Admin\AppData\Local\Temp\4f02875b49165e6227aba2077b27745bc397e198824a45b643993a3c7d6c79e2.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fzhk3ypz\fzhk3ypz.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF90.tmp" "c:\Users\Admin\AppData\Local\Temp\fzhk3ypz\CSC11F28DF0C0E4495B939CC9DCF80BA12.TMP"
3⤵
PID:3176

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:4500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF90.tmp

Filesize
1KB

MD5
93febc014ef39a94d3c8f1aa85d486b2

SHA1
ab1e79e0becb82b831ac44dcace0308ef7b4a66f

SHA256
f6e699c79ea1bac210a934ccdef0d5510012b2f2a329584a810c241a52ceea2a

SHA512
de879a0b0714866935a3edac14bcfbcf418bbef1c0da6b319dae64f944a490974d0a5d4a99cd8103621fdebcd78d42c5a073d7cdf8af953c01e5a41d2d9b12e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzhk3ypz\fzhk3ypz.dll

Filesize
19KB

MD5
6a37afebb52116dbfdeca34f66bce069

SHA1
ecb70d77acf0beeef360ac36414ec2ade372b024

SHA256
de56cb242617a73cc5477f7ec03673ecce9a67fd0c9bea7ae0272e5bf6604de1

SHA512
6684dea4ab44159afe6f95eeb92e133fa400bcb2b49391e9ebe25d295debe37d09cc7894a0b15399d35f0dadc75a0f5955f70fbf78d76d20e5616d06081dc2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzhk3ypz\fzhk3ypz.pdb

Filesize
65KB

MD5
ab19d87f5d5f617b1b370ca71f3100ee

SHA1
cd4271818f09718d4cc487d76be109c1f78899d5

SHA256
4d7be8d98fe9642cd0a7b2dee08cd44ffea11ebe9d28c5210b8d14fb8b634522

SHA512
7fb5a5fed4573065076d9723db217b23ac3b67eac37f1276442c0e14f8437be00ead538994536508bd9aef38e54f4523d4ecb39aa55080d6c3fa5faaaf6c00b5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fzhk3ypz\CSC11F28DF0C0E4495B939CC9DCF80BA12.TMP

Filesize
1KB

MD5
bbec3bef69e61162df769bf24506795d

SHA1
8588a5c4e3d7784dfce4da078ae6527c5cacbd5a

SHA256
0e2bbabb257c6d2e18ad78bd9af27f59f1f7b4b233d96acc68007b5079f1190b

SHA512
c7eda5498ee08ef14eba183e878db40589d4d90a5d7f60638daaa9ab3ead6e6d7f18713a9e983e6c334d59dcdce3c29d09aea11d5dddff87551a43fc1c9ab4a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fzhk3ypz\fzhk3ypz.0.cs

Filesize
44KB

MD5
0642f7e939b978b5ddea46176023511c

SHA1
6df689b9698544104bf66a9887edb0ec24a013d1

SHA256
e18cfd933eaf6f3924dcc34be49f75f7acd73842976733c0672a8ab3510b091e

SHA512
35d3a5147f0c5a515bba5dadfd59e41a2ca7ba27e6255fbcac53e968c9d0d853e8204eda08a4ea027979adc34f95cd73dad2700b6e65f4e772f4c20d4f50e939

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fzhk3ypz\fzhk3ypz.cmdline

Filesize
312B

MD5
349827bb6622e6c81a4a2c00c4baf8d2

SHA1
2a2011bde4ae2eed612d1ef27e495c28473ec580

SHA256
e790deec579800e3b19097db85c456d83fdbd1961a810840463a2c015763dd34

SHA512
7ef70bc57e4bde88358c857e6c449a6f1846c809b5c28e0f8dc9d53410a43d600d5c9bbf6c72fc53ae296810929301126854d7d3fbf0b58bf5ba27353ae8342d

Download Submit
memory/3176-134-0x0000000000000000-mapping.dmp

Download
memory/3804-131-0x0000000000000000-mapping.dmp

Download
memory/4372-130-0x00000000007A0000-0x0000000000820000-memory.dmp

Filesize
512KB

Download
memory/4372-139-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/4372-140-0x00000000058C0000-0x000000000595C000-memory.dmp

Filesize
624KB

Download
memory/4500-141-0x0000000000000000-mapping.dmp

Download
memory/4500-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4500-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4500-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4500-146-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads