netwire | 573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd

Analysis

max time kernel
122s
max time network
135s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
Size

1.6MB
MD5

2c5dcf7821c1098be0c0fb0b9111b112
SHA1

0d034ed0671d6f90b3be6f92fc010ae533bdcd05
SHA256

573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd
SHA512

5e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b

Score

10^/10

netwire quasar mine new botnet rat spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Mine New

manuel3.publicvm.com:1022

Mutex

QSR_MUTEX_z2tvmEKtJhCWkEoFqb

Attributes

encryption_key
lzO7ipRSIXeoGW0A0XSN
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

netwire

manuel3.publicvm.com:3366

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
KosdgdKb
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/848-64-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/848-72-0x0000000000082BCB-mapping.dmp	netwire
behavioral1/memory/848-75-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/548-98-0x0000000000082BCB-mapping.dmp	netwire
behavioral1/memory/548-102-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 15 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe	family_quasar
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe	family_quasar
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe	family_quasar
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe	family_quasar
\Users\Admin\AppData\Roaming\Install\Host.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Install\Host.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Install\Host.exe	family_quasar
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe	family_quasar
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe	family_quasar
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe	family_quasar
behavioral1/memory/1160-82-0x0000000000820000-0x000000000087E000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Install\Host.exe	family_quasar

suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Executes dropped EXE 4 IoCs

Processes:

Client-built New Mine Quasar.exeHost.exeClient-built New Mine Quasar.exeHost.exe

pid process

1160 Client-built New Mine Quasar.exe
1372 Host.exe
1708 Client-built New Mine Quasar.exe
548 Host.exe

pid	process
1160	Client-built New Mine Quasar.exe
1372	Host.exe
1708	Client-built New Mine Quasar.exe
548	Host.exe

Loads dropped DLL 8 IoCs

Processes:

573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exeHost.exe

pid	process
972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
848	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
1372	Host.exe
1372	Host.exe
1372	Host.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

flow	ioc
3	ip-api.com

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exeHost.exe

description	pid	process	target process
PID 972 set thread context of 848	972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
PID 1372 set thread context of 548	1372	Host.exe	Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Host.exe

pid process

1372 Host.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Client-built New Mine Quasar.exe

description pid process

Token: SeDebugPrivilege 1160 Client-built New Mine Quasar.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client-built New Mine Quasar.exe

pid process

1160 Client-built New Mine Quasar.exe

pid	process
1372	Host.exe

description	pid	process
Token: SeDebugPrivilege	1160	Client-built New Mine Quasar.exe

pid	process
1160	Client-built New Mine Quasar.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exeHost.exe

description	pid	process	target process
PID 972 wrote to memory of 1160	972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	Client-built New Mine Quasar.exe
PID 972 wrote to memory of 1160	972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	Client-built New Mine Quasar.exe
PID 972 wrote to memory of 1160	972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	Client-built New Mine Quasar.exe
PID 972 wrote to memory of 1160	972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	Client-built New Mine Quasar.exe
PID 972 wrote to memory of 848	972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
PID 972 wrote to memory of 848	972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
PID 972 wrote to memory of 848	972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
PID 972 wrote to memory of 848	972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
PID 972 wrote to memory of 848	972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
PID 972 wrote to memory of 848	972	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
PID 848 wrote to memory of 1372	848	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	Host.exe
PID 848 wrote to memory of 1372	848	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	Host.exe
PID 848 wrote to memory of 1372	848	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	Host.exe
PID 848 wrote to memory of 1372	848	573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe	Host.exe
PID 1372 wrote to memory of 1708	1372	Host.exe	Client-built New Mine Quasar.exe
PID 1372 wrote to memory of 1708	1372	Host.exe	Client-built New Mine Quasar.exe
PID 1372 wrote to memory of 1708	1372	Host.exe	Client-built New Mine Quasar.exe
PID 1372 wrote to memory of 1708	1372	Host.exe	Client-built New Mine Quasar.exe
PID 1372 wrote to memory of 548	1372	Host.exe	Host.exe
PID 1372 wrote to memory of 548	1372	Host.exe	Host.exe
PID 1372 wrote to memory of 548	1372	Host.exe	Host.exe
PID 1372 wrote to memory of 548	1372	Host.exe	Host.exe
PID 1372 wrote to memory of 548	1372	Host.exe	Host.exe
PID 1372 wrote to memory of 548	1372	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
"C:\Users\Admin\AppData\Local\Temp\573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:972

C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe
"C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Users\Admin\AppData\Local\Temp\573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe
"C:\Users\Admin\AppData\Local\Temp\573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe
"C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe"
4⤵
- Executes dropped EXE
PID:1708

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe
Filesize
349KB

MD5
dc1f074b41b4aa0ae4c5d1341a653299

SHA1
7ab804dbe6492e37fa880d12fc1102fead2faffb

SHA256
bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0

SHA512
fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e

Download Submit
C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe
Filesize
349KB

MD5
dc1f074b41b4aa0ae4c5d1341a653299

SHA1
7ab804dbe6492e37fa880d12fc1102fead2faffb

SHA256
bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0

SHA512
fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e

Download Submit
C:\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe
Filesize
349KB

MD5
dc1f074b41b4aa0ae4c5d1341a653299

SHA1
7ab804dbe6492e37fa880d12fc1102fead2faffb

SHA256
bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0

SHA512
fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.6MB

MD5
2c5dcf7821c1098be0c0fb0b9111b112

SHA1
0d034ed0671d6f90b3be6f92fc010ae533bdcd05

SHA256
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd

SHA512
5e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.6MB

MD5
2c5dcf7821c1098be0c0fb0b9111b112

SHA1
0d034ed0671d6f90b3be6f92fc010ae533bdcd05

SHA256
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd

SHA512
5e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.6MB

MD5
2c5dcf7821c1098be0c0fb0b9111b112

SHA1
0d034ed0671d6f90b3be6f92fc010ae533bdcd05

SHA256
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd

SHA512
5e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b

Download Submit
C:\Users\Admin\AppData\Roaming\server 2019.exe
Filesize
172KB

MD5
3146f4dd38096e1fe25844d859098f7b

SHA1
aa3f3cb481100feac6128288c30539d5dba4477c

SHA256
feef025eaebb31b58e46d7d0e8db5f0e0352f26bb210874a540b514545940365

SHA512
092f8a7b24b2c723b9d933de5ca8f32a8dbe46f31e6d343ce465c9a3f8c098d70fdc122b87db91e05f0108f3b5cebe142811fa4f39539df09e99869881ca3209

Download Submit
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe
Filesize
349KB

MD5
dc1f074b41b4aa0ae4c5d1341a653299

SHA1
7ab804dbe6492e37fa880d12fc1102fead2faffb

SHA256
bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0

SHA512
fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e

Download Submit
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe
Filesize
349KB

MD5
dc1f074b41b4aa0ae4c5d1341a653299

SHA1
7ab804dbe6492e37fa880d12fc1102fead2faffb

SHA256
bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0

SHA512
fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e

Download Submit
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe
Filesize
349KB

MD5
dc1f074b41b4aa0ae4c5d1341a653299

SHA1
7ab804dbe6492e37fa880d12fc1102fead2faffb

SHA256
bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0

SHA512
fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e

Download Submit
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe
Filesize
349KB

MD5
dc1f074b41b4aa0ae4c5d1341a653299

SHA1
7ab804dbe6492e37fa880d12fc1102fead2faffb

SHA256
bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0

SHA512
fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e

Download Submit
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe
Filesize
349KB

MD5
dc1f074b41b4aa0ae4c5d1341a653299

SHA1
7ab804dbe6492e37fa880d12fc1102fead2faffb

SHA256
bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0

SHA512
fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e

Download Submit
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe
Filesize
349KB

MD5
dc1f074b41b4aa0ae4c5d1341a653299

SHA1
7ab804dbe6492e37fa880d12fc1102fead2faffb

SHA256
bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0

SHA512
fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e

Download Submit
\Users\Admin\AppData\Roaming\Client-built New Mine Quasar.exe
Filesize
349KB

MD5
dc1f074b41b4aa0ae4c5d1341a653299

SHA1
7ab804dbe6492e37fa880d12fc1102fead2faffb

SHA256
bb4bde3c20fb19218d7c58e07151f8b9006df18a793e8cd01a837a05d9d550f0

SHA512
fe70cee7b6ebf93d229f5a0be05bcd8ce2157d3aeba1fccd2390241121e0b57d6b72ff847327a5ebfc0b70cf2910d7714046fb1dd0d625ef3e42d8d32fbb049e

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
1.6MB

MD5
2c5dcf7821c1098be0c0fb0b9111b112

SHA1
0d034ed0671d6f90b3be6f92fc010ae533bdcd05

SHA256
573c27f4e0c548e2019acee758099a4a3cdd903c27e884bc640c632cb56258cd

SHA512
5e0b5f4d7f5731844e8d68743ff5092549481e93e083763dd7315eb214aa5750bf0e12ad4fe0c7f56f437bffd70a5e4886f7cb475170a69377f2631658d9987b

Download Submit
memory/548-98-0x0000000000082BCB-mapping.dmp

Download
memory/548-102-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/848-75-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/848-72-0x0000000000082BCB-mapping.dmp

Download
memory/848-64-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/848-62-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/972-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1160-82-0x0000000000820000-0x000000000087E000-memory.dmp

Filesize
376KB

Download
memory/1160-59-0x0000000000000000-mapping.dmp

Download
memory/1372-77-0x0000000000000000-mapping.dmp

Download
memory/1708-86-0x0000000000000000-mapping.dmp

Download