netwire | f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09

General

Target

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe
Size

258KB
MD5

dc0e9d999a069b736be23872cce791c6
SHA1

80ba32eaf12efd4f5e8d0d1c67c24dd86181817d
SHA256

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09
SHA512

1b1b9ed216730516c4c98d747632d42b67e6694f9be0da3da841b6410f2dffc799867af8f40c8e75ddcf6114814e90b46fc8dc56750d74d4659518ea74a378b9

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

zicopele2018.sytes.net:3584

zicopele2018backup.sytes.net:3584

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
mutex
vkRChWpP
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1772-67-0x00000000007E0000-0x000000000080C000-memory.dmp	netwire
behavioral1/memory/1284-78-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1284-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1284-81-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1284-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1284-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1284-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1284-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RGZapP.url	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

description	pid	process	target process
PID 1772 set thread context of 1284	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

pid	process
1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe
1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

description pid process

Token: SeDebugPrivilege 1772 f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

description	pid	process
Token: SeDebugPrivilege	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.execsc.exe

description	pid	process	target process
PID 1772 wrote to memory of 1236	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	csc.exe
PID 1772 wrote to memory of 1236	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	csc.exe
PID 1772 wrote to memory of 1236	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	csc.exe
PID 1772 wrote to memory of 1236	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	csc.exe
PID 1236 wrote to memory of 1392	1236	csc.exe	cvtres.exe
PID 1236 wrote to memory of 1392	1236	csc.exe	cvtres.exe
PID 1236 wrote to memory of 1392	1236	csc.exe	cvtres.exe
PID 1236 wrote to memory of 1392	1236	csc.exe	cvtres.exe
PID 1772 wrote to memory of 1284	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 1772 wrote to memory of 1284	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 1772 wrote to memory of 1284	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 1772 wrote to memory of 1284	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 1772 wrote to memory of 1284	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 1772 wrote to memory of 1284	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 1772 wrote to memory of 1284	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 1772 wrote to memory of 1284	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 1772 wrote to memory of 1284	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 1772 wrote to memory of 1284	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 1772 wrote to memory of 1284	1772	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe
"C:\Users\Admin\AppData\Local\Temp\f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\maxwvbn5\maxwvbn5.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES79F1.tmp" "c:\Users\Admin\AppData\Local\Temp\maxwvbn5\CSC544DDB1B8EC4D4C980A358F0F13062.TMP"
3⤵
PID:1392

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES79F1.tmp

Filesize
1KB

MD5
173802f21c2b8da59661d6198f0fce31

SHA1
3da45101c02b78ca93c13d102a63d371bd687bd3

SHA256
6b526d98a6dcd5e9b816c49773a5446dad1bbef00c66e3495803da72b497b542

SHA512
fa5e5be1587f5e9193cb81e160a2a4d105f9780bd7c460d530a2ad1235a231824db0517b8b82b7916d8ddb5e2f7a11f8468ecaa7578cbe2b60d7d90ba1218d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\maxwvbn5\maxwvbn5.dll

Filesize
16KB

MD5
219174e9d0220700882971afca857c5a

SHA1
e2f0f472114177872cd7711c6289481660494f10

SHA256
f6a52f971a98e2ee43c8bf61bcc9a30f8736ae963bbfcf171518cb755cbb4ee8

SHA512
6545cdd860f9d98574c49d9283598e2133c9714f051dd85e8e82ba2dcb7ed3b8f122d4173562e713783b1a8fff2f59c630af81b057dce468f280a41128d1129d

Download Submit
C:\Users\Admin\AppData\Local\Temp\maxwvbn5\maxwvbn5.pdb

Filesize
53KB

MD5
51594aba9edfa2f7dbe0c6f64a5d4397

SHA1
cfb72e35973e3a7c80fc4ba6f8001d330f8e8774

SHA256
5d4058c821c5f5632e07e2a906239c8f0c0fb9455d4ec2291e788c51956ed4d4

SHA512
48ac59e1a7bdebddf4856ccb7d65f706ad3571b48350ec491317773c8f5e53c5dbf0469ab1afe839ff24aaf3a8b6ec93ce36bedd485c930e1fa3d660661adcb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\maxwvbn5\CSC544DDB1B8EC4D4C980A358F0F13062.TMP

Filesize
1KB

MD5
05098f99379aeb31c2e83fea3f0609cb

SHA1
634bf527892179f87a1776be56be18f301fdeb7a

SHA256
4a38d2b2d1eadc9545c570482bc1b8c5834dc1628736ac28230fb4e8d2f4721f

SHA512
23234aed3bd3608e36e47354f3a6c81d6a3d0b014c28939dec6bc7a297c49c4dc26bb618230a9e31440eac24442a4bba8ce511bca9b2453bc9b0ccda71c389e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\maxwvbn5\maxwvbn5.0.cs

Filesize
35KB

MD5
6a193dcb503eb4a81f57d4dd4fa7c72d

SHA1
0c9474a3ffa21c5cf70016671fc9935e2a4e94c4

SHA256
799afe1cbd6ca7c97013068a78be107b9cbabe3e84d7dd33c181aee5948224f3

SHA512
e6296f733e562dee2e1c087a039c6d9273a7035e95bf348eb79161c6b8ab85c66ef0c5cb53f9eb70c84b8ad417d556e243538a555f39494b213e8e314009d9e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\maxwvbn5\maxwvbn5.cmdline

Filesize
312B

MD5
bb57ed6f01f3220a14e89bcdec04895d

SHA1
798e945eb1c35d16891f65e972836af00db6641c

SHA256
7e3c6d1c7780863c8f96ee3610008e78c02281102266731f98c122b70275ad6c

SHA512
976894ef5d3fa8c2120f8d33628214f3b1efff5fb616b5ed2bd1521858d32851dadaa541d5e591404d344fe221ba3997c09921ff78cadf416a360a7c55593487

Download Submit
memory/1236-55-0x0000000000000000-mapping.dmp

Download
memory/1284-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1284-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1284-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1284-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1284-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1284-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1284-81-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1284-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1284-78-0x0000000000402BCB-mapping.dmp

Download
memory/1284-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1392-58-0x0000000000000000-mapping.dmp

Download
memory/1772-66-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1772-54-0x0000000000EC0000-0x0000000000F06000-memory.dmp

Filesize
280KB

Download
memory/1772-67-0x00000000007E0000-0x000000000080C000-memory.dmp

Filesize
176KB

Download
memory/1772-64-0x00000000007B0000-0x00000000007E2000-memory.dmp

Filesize
200KB

Download
memory/1772-65-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1772-63-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads