netwire | 5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23

General

Target

5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe
Size

374KB
MD5

9d5c47402efe9b9cfdf9e75d93d0f35f
SHA1

ed32b8730cffa1a3a6e27f5a5e6273d69c9f7ac5
SHA256

5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23
SHA512

ab350091a7b2dd20bf91bfa241b54ac9f7d9668c53ddcfffabb2465817563de2f3ac8bb9ec3f33895636a6ef2108f748d19693ea325a80933b4ae9c902874fe2

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1056-67-0x00000000009D0000-0x00000000009FC000-memory.dmp	netwire
behavioral1/memory/1564-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1564-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1564-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1564-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1564-78-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1564-81-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1564-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe

description	pid	process	target process
PID 1056 set thread context of 1564	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe

pid	process
1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe
1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe

description pid process

Token: SeDebugPrivilege 1056 5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe

description	pid	process
Token: SeDebugPrivilege	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.execsc.exe

description	pid	process	target process
PID 1056 wrote to memory of 1224	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	csc.exe
PID 1056 wrote to memory of 1224	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	csc.exe
PID 1056 wrote to memory of 1224	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	csc.exe
PID 1056 wrote to memory of 1224	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	csc.exe
PID 1224 wrote to memory of 1696	1224	csc.exe	cvtres.exe
PID 1224 wrote to memory of 1696	1224	csc.exe	cvtres.exe
PID 1224 wrote to memory of 1696	1224	csc.exe	cvtres.exe
PID 1224 wrote to memory of 1696	1224	csc.exe	cvtres.exe
PID 1056 wrote to memory of 1564	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	vbc.exe
PID 1056 wrote to memory of 1564	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	vbc.exe
PID 1056 wrote to memory of 1564	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	vbc.exe
PID 1056 wrote to memory of 1564	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	vbc.exe
PID 1056 wrote to memory of 1564	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	vbc.exe
PID 1056 wrote to memory of 1564	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	vbc.exe
PID 1056 wrote to memory of 1564	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	vbc.exe
PID 1056 wrote to memory of 1564	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	vbc.exe
PID 1056 wrote to memory of 1564	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	vbc.exe
PID 1056 wrote to memory of 1564	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	vbc.exe
PID 1056 wrote to memory of 1564	1056	5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe
"C:\Users\Admin\AppData\Local\Temp\5ded0821335f676cc6ebe00711e0ec55297efe5d88468f7814b6241e16b0cb23.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c0rzszhk\c0rzszhk.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEAA.tmp" "c:\Users\Admin\AppData\Local\Temp\c0rzszhk\CSC807C755E71E546B7A5C26B4D99A5B44.TMP"
3⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFEAA.tmp
Filesize
1KB

MD5
7436b78591e4f19a9970b7a493f0fbaf

SHA1
1b941e2504c00b073ff15ecc5244b76c1fcd5324

SHA256
68389df28be5c15e3b8ac527cbb686650933a4c292fef75a0c2d868036d047bb

SHA512
b9867800c0bd6e8c5f7fc11f46d24718763b81346810724f1f1a4fc086f61fcb9c3abba9693bc77f36b0f0fa51c1d3b695655582f99f88558bb547bbd177f682

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0rzszhk\c0rzszhk.dll
Filesize
7KB

MD5
70703206459df820cf951b4148de1054

SHA1
139f14f1401f0a2f97b13405406a41f729d92db9

SHA256
0c2f451a8b9a8bf0018d77ede3ba873ca09c56d8083df00964858a9c30ceea60

SHA512
c33b1b2b2dad11b69631d6a025200545f8f1df879f414c2ce62897bddcadb9ec9f5bea62713cc10424d66ee9e342da88aa49dd245f3d3077265bf57abe79cdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0rzszhk\c0rzszhk.pdb
Filesize
23KB

MD5
df91c6c144d42a47c272a26e241224f3

SHA1
6917836023a80a2501425778816e8684ce0a8a1a

SHA256
9a7e15be912f2c261b4f02dafdad1660d28eb06a0fdbe78d9a214825a49b616d

SHA512
910812f6c787e16f1d029a5825d35a11c91dd970aff210819a39065a51782f3b6023484b559fd383582bb2cbd7cc3b190ec32a9a08cd157629fc23a2f66f5fdd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c0rzszhk\CSC807C755E71E546B7A5C26B4D99A5B44.TMP
Filesize
1KB

MD5
87014917d2d02dac0744a8398abddce1

SHA1
4358e880eb9682e039be709ef782858ea8796d55

SHA256
dbdc3c6df1ca59430ad7d4e6813d1baaf1cd5f300374bbedf498d8468688e17e

SHA512
d27d8ec22ef4f564237a7cc467cf93f898e18a9fc2dc094f3d2013e1f1299e269f5256eabcfd2f0f3b598c899234b0fe4e6afe22f74f1b4afedadce080bfdac1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c0rzszhk\c0rzszhk.0.cs
Filesize
6KB

MD5
03b475d1f8b9591b245e76a284162277

SHA1
3854547a50e3dbd9b9820b43630e51da8d06e8cb

SHA256
e28caa6125f70bd17bbbac32f67154f22b3a09a64efd3365e14dc909bdc1543c

SHA512
a4464c0af975e61155a958ec15edd80da96846b5ed615e4fdee2e4f158dd089eb85cf0bf9d3942124dd61942d51aa84b8060c65bb4fb99fa4fe1c73f6e763d39

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c0rzszhk\c0rzszhk.cmdline
Filesize
312B

MD5
89bf2224334e1e2f6dfadfa9f6cd54fc

SHA1
76cd61a6c3bb98cfaecb55c47cada7dc0e57ccb0

SHA256
ce7ce94c38d9a58febb88747816023e2fc9dc4d6e014e447e8dc825f052c9dc5

SHA512
d60b7ad393155a62e2096c8e0adc284782387a0c16bd7ec65463057d4827f347d14b142cde732ee0200f9070f5a7b6d34ea5590c1360950c5b337c5468f99527

Download Submit
memory/1056-65-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1056-67-0x00000000009D0000-0x00000000009FC000-memory.dmp

Filesize
176KB

Download
memory/1056-63-0x0000000000230000-0x0000000000238000-memory.dmp

Filesize
32KB

Download
memory/1056-64-0x0000000000680000-0x00000000006B2000-memory.dmp

Filesize
200KB

Download
memory/1056-66-0x0000000074E11000-0x0000000074E13000-memory.dmp

Filesize
8KB

Download
memory/1056-54-0x0000000000A40000-0x0000000000AA2000-memory.dmp

Filesize
392KB

Download
memory/1224-55-0x0000000000000000-mapping.dmp

Download
memory/1564-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1564-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1564-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1564-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1564-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1564-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1564-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1564-78-0x0000000000402BCB-mapping.dmp

Download
memory/1564-81-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1564-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1696-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads