netwire | cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37

General

Target

cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37.exe
Size

808KB
MD5

5fb94c5b4ca3090c9fcfa3eaf5a756dc
SHA1

015c63e0150aa708991c0089329bf56ef32017b9
SHA256

cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37
SHA512

3df0f4af100b9c243325e7769002c025acd982a502cf27493e2de77fe6e442bb02204205a5f919f47f0899788aeb0f9c643292298b9685ee6639ffd6537635e1

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

microwindws.dynu.net:3361

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
hortWgup
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3492-142-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3492-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3492-145-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Drops startup file 1 IoCs

Processes:

Powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkzdjkzdj.url Powershell.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

Powershell.exe

description pid process target process

PID 4084 set thread context of 3492 4084 Powershell.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Powershell.exe

pid process

4084 Powershell.exe
4084 Powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Powershell.exe

description pid process

Token: SeDebugPrivilege 4084 Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkzdjkzdj.url	Powershell.exe

description	pid	process	target process
PID 4084 set thread context of 3492	4084	Powershell.exe	vbc.exe

pid	process
4084	Powershell.exe
4084	Powershell.exe

description	pid	process
Token: SeDebugPrivilege	4084	Powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37.exePowershell.exe

description	pid	process	target process
PID 2232 wrote to memory of 4084	2232	cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37.exe	Powershell.exe
PID 2232 wrote to memory of 4084	2232	cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37.exe	Powershell.exe
PID 2232 wrote to memory of 4084	2232	cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37.exe	Powershell.exe
PID 4084 wrote to memory of 3492	4084	Powershell.exe	vbc.exe
PID 4084 wrote to memory of 3492	4084	Powershell.exe	vbc.exe
PID 4084 wrote to memory of 3492	4084	Powershell.exe	vbc.exe
PID 4084 wrote to memory of 3492	4084	Powershell.exe	vbc.exe
PID 4084 wrote to memory of 3492	4084	Powershell.exe	vbc.exe
PID 4084 wrote to memory of 3492	4084	Powershell.exe	vbc.exe
PID 4084 wrote to memory of 3492	4084	Powershell.exe	vbc.exe
PID 4084 wrote to memory of 3492	4084	Powershell.exe	vbc.exe
PID 4084 wrote to memory of 3492	4084	Powershell.exe	vbc.exe
PID 4084 wrote to memory of 3492	4084	Powershell.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37.exe
"C:\Users\Admin\AppData\Local\Temp\cb98930bce872134743d81a536af49d6d74f48d544b6eb86721595fff9f7be37.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy UnRestricted -NoLogo [System.Reflection.Assembly]::Load([Convert]::FromBase64String([IO.File]::ReadAllText('C:\Users\Admin\NTUSER'))).EntryPoint.Invoke($null,$null);
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
PID:3492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\NTUSER

Filesize
366KB

MD5
4540c574e2578a4c7e39cf3c4369aac0

SHA1
d485e7f49fa47b8f30fdc3520bbb0514f5ba0841

SHA256
f230a941b83faa844c96639bb2445089aae7493bc21c9b0d51e575269aa0307c

SHA512
7ed62fecbfd15cfa3bcba8a760ae2c4ebe1fe96122c908e949097d2778b6d4d178279ae9308153ce16c12670bdab4f33379b172a915f5b2e22ee0f1200a788d5

Download Submit
C:\Users\Admin\NTUSER.log

Filesize
102B

MD5
09017eca17df1ed44cf48463567f4168

SHA1
1b24205817375622de5f2a5cd6705a91fc3b277d

SHA256
5311b102ecd651c5af890e1a68cc66f625184cb6c6e3974cd16c3af65d91ebe0

SHA512
8510dc3954ef1c45da76cc84e4aff3d693f34be236b53a498391ad222b7bce333511d180f1925cc0ce56e4a7ddfebc5b6a28f6da07ea272af683dd0563ce678d

Download Submit
memory/2232-130-0x0000000000F80000-0x0000000001052000-memory.dmp

Filesize
840KB

Download
memory/3492-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3492-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3492-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3492-141-0x0000000000000000-mapping.dmp

Download
memory/4084-133-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/4084-137-0x0000000004F30000-0x0000000004F4E000-memory.dmp

Filesize
120KB

Download
memory/4084-136-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/4084-140-0x0000000007430000-0x00000000074CC000-memory.dmp

Filesize
624KB

Download
memory/4084-135-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/4084-134-0x00000000051C0000-0x00000000051E2000-memory.dmp

Filesize
136KB

Download
memory/4084-132-0x0000000004BA0000-0x0000000004BD6000-memory.dmp

Filesize
216KB

Download
memory/4084-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing