netwire | 56122070a3bdb1f168cbae330d58b9c268700509420d2670ccafd01221b45751

Analysis

max time kernel
35s
max time network
46s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

files/9.exe
Size

225KB
MD5

d6cabf8ccf6234a76fef52b30f60e798
SHA1

f1f351318f77fe80d1191e238127776a2066ce6c
SHA256

f2ec4e6c59e621e82f6e0f8e683f4a525c498041a272011d0c3772d6716c5317
SHA512

5d830240d0bce8005f9c598c0a54ed721989de40b35a325b7db257f48701e1fd64c8a1eca617e9f71acd294c362ceeeb78fc56af7a115531eec635fe5d0fc2b7

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

212.7.208.129:4951

Attributes

activex_autorun
true
activex_key
{W5H5J6SC-J820-0WAA-6G7H-B07JHQR8687C}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
mutex
LGcSGuSj
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

resource	yara_rule
behavioral29/memory/1040-67-0x00000000049F0000-0x0000000004A1C000-memory.dmp	netwire
behavioral29/memory/996-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral29/memory/996-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral29/memory/996-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral29/memory/996-78-0x0000000000402BCB-mapping.dmp	netwire
behavioral29/memory/996-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral29/memory/996-81-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral29/memory/996-85-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
832	Host.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	9.exe

Loads dropped DLL 1 IoCs

pid	Process
996	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1040 set thread context of 996	1040	9.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1040	9.exe
1040	9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	9.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 1804	1040	9.exe	28
PID 1040 wrote to memory of 1804	1040	9.exe	28
PID 1040 wrote to memory of 1804	1040	9.exe	28
PID 1040 wrote to memory of 1804	1040	9.exe	28
PID 1804 wrote to memory of 1264	1804	csc.exe	30
PID 1804 wrote to memory of 1264	1804	csc.exe	30
PID 1804 wrote to memory of 1264	1804	csc.exe	30
PID 1804 wrote to memory of 1264	1804	csc.exe	30
PID 1040 wrote to memory of 996	1040	9.exe	31
PID 1040 wrote to memory of 996	1040	9.exe	31
PID 1040 wrote to memory of 996	1040	9.exe	31
PID 1040 wrote to memory of 996	1040	9.exe	31
PID 1040 wrote to memory of 996	1040	9.exe	31
PID 1040 wrote to memory of 996	1040	9.exe	31
PID 1040 wrote to memory of 996	1040	9.exe	31
PID 1040 wrote to memory of 996	1040	9.exe	31
PID 1040 wrote to memory of 996	1040	9.exe	31
PID 1040 wrote to memory of 996	1040	9.exe	31
PID 1040 wrote to memory of 996	1040	9.exe	31
PID 996 wrote to memory of 832	996	vbc.exe	32
PID 996 wrote to memory of 832	996	vbc.exe	32
PID 996 wrote to memory of 832	996	vbc.exe	32
PID 996 wrote to memory of 832	996	vbc.exe	32

C:\Users\Admin\AppData\Local\Temp\files\9.exe
"C:\Users\Admin\AppData\Local\Temp\files\9.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ngzuiiwq\ngzuiiwq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7965.tmp" "c:\Users\Admin\AppData\Local\Temp\ngzuiiwq\CSC8EE65D29B50C402D872917D52A5A9CEC.TMP"
    3⤵
    PID:1264
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Executes dropped EXE
    PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7965.tmp

Filesize
1KB

MD5
037c1df1c2d543e09944e7bf629453f2

SHA1
00891c11507e40e0b3bd9e99ba36c966b39d0248

SHA256
342defba47012bfe6ccdc99e814a0bee1c9d6839c8da11edf2db76b0cebed99f

SHA512
5395bbb50f19b6e7e48edbd7f85ae47c2a1323f8b9360f691c11ae8135e15d657661409c4a40d77aec63a6b27c1a75caa80e67b236c280d8b06646e79933213e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngzuiiwq\ngzuiiwq.dll

Filesize
13KB

MD5
686c8b1e73337a20316b27f84f89644f

SHA1
e133a56d989c52992877a78556ad5fd50ed54816

SHA256
126dfb810bb2fb6d9fb8c629cd81f5bccad9e81c7d2911bb2fa531f134b087f6

SHA512
f673572fe4186469d84a6547975272f0df6b506e4eade22521bf258a897c4b34f06356a2575d9e89f31b7c1f55a7f6446f4ac344774f429f89b32e4ed95606a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngzuiiwq\ngzuiiwq.pdb

Filesize
39KB

MD5
e9e3dab88bd59e4ecf192ee98b905ad1

SHA1
c481b036407dfb83d3a0a36efc9c38f9a122e208

SHA256
158d242283e9d69417818d0e5e4789ebefbacaaa5501c9030d116e25c09cf4f3

SHA512
a6950778d73383ccfc9bded8f9fa00bd40d47f655f638326a58e7c65419983392efb653180fc1f78d639a5ec7c4d0ff351c640e39e9ef695593c8cd8fc31d4bb

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ngzuiiwq\CSC8EE65D29B50C402D872917D52A5A9CEC.TMP

Filesize
1KB

MD5
8e8e583191ecbd45bfbd64df94fef33e

SHA1
a328c7bdaed0c3ab224e17fea3b2b175fb7e4964

SHA256
d91a3f3ee383d7fddf8d1511dea890b940cdaee5fb3175d60bd9a49aabe09b3c

SHA512
5e2eb58241d855338c508c106982988243a591e29621c6a6467d732e77ff82bbc91589587485a12d15a7c2bd1aedd8f12bacf53ec0d4f4cb53c5feec3ea96cb7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ngzuiiwq\ngzuiiwq.0.cs

Filesize
22KB

MD5
8838687226e6284e6112c814ed32b916

SHA1
4262b9a3887d76358aa49021e84ea32fcdb19df0

SHA256
8cf35cd411608212a8989ba76bb3dd01228d8118c64c36121c7defb81ac8e6b6

SHA512
716630cac5b23b1417ce478613ae56b7bde341f5c36b85588376711f061bef8ce7ee499d3f6aaf3f1533ecc2d7c5a0c542d61f1580cb3820c321703dbcd8e071

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ngzuiiwq\ngzuiiwq.cmdline

Filesize
312B

MD5
ca7b6363c21397e5c93f3dd10cf4dc48

SHA1
1d1c1d9a228449a57cb4b1448c266c7c90e6f198

SHA256
c42532d72ba95c2cdc477765dfb15e81fb8f9c0573ca9e86cb37b4d9f54911a6

SHA512
b937665af5c9d2497ea363a59404b655ace49c6b9e1310ca286b685c0ac6a7c26274c1e4139a377fbcef25af0dd2bc894a43eedac42dd1c44048552fffba74ac

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/996-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/996-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/996-85-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/996-81-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/996-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/996-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/996-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/996-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/996-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1040-65-0x0000000001E60000-0x0000000001E6C000-memory.dmp

Filesize
48KB

Download
memory/1040-54-0x0000000000040000-0x000000000007E000-memory.dmp

Filesize
248KB

Download
memory/1040-67-0x00000000049F0000-0x0000000004A1C000-memory.dmp

Filesize
176KB

Download
memory/1040-64-0x00000000044F0000-0x0000000004522000-memory.dmp

Filesize
200KB

Download
memory/1040-63-0x0000000001DA0000-0x0000000001DAA000-memory.dmp

Filesize
40KB

Download
memory/1040-66-0x00000000749D1000-0x00000000749D3000-memory.dmp

Filesize
8KB

Download