netwire | f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09

General

Target

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe
Size

258KB
MD5

dc0e9d999a069b736be23872cce791c6
SHA1

80ba32eaf12efd4f5e8d0d1c67c24dd86181817d
SHA256

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09
SHA512

1b1b9ed216730516c4c98d747632d42b67e6694f9be0da3da841b6410f2dffc799867af8f40c8e75ddcf6114814e90b46fc8dc56750d74d4659518ea74a378b9

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

zicopele2018.sytes.net:3584

zicopele2018backup.sytes.net:3584

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
vkRChWpP
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2292-142-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2292-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2292-145-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RGZapP.url	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

description	pid	process	target process
PID 4400 set thread context of 2292	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

pid	process
4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe
4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

description pid process

Token: SeDebugPrivilege 4400 f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

description	pid	process
Token: SeDebugPrivilege	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.execsc.exe

description	pid	process	target process
PID 4400 wrote to memory of 4316	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	csc.exe
PID 4400 wrote to memory of 4316	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	csc.exe
PID 4400 wrote to memory of 4316	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	csc.exe
PID 4316 wrote to memory of 912	4316	csc.exe	cvtres.exe
PID 4316 wrote to memory of 912	4316	csc.exe	cvtres.exe
PID 4316 wrote to memory of 912	4316	csc.exe	cvtres.exe
PID 4400 wrote to memory of 2292	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 4400 wrote to memory of 2292	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 4400 wrote to memory of 2292	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 4400 wrote to memory of 2292	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 4400 wrote to memory of 2292	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 4400 wrote to memory of 2292	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 4400 wrote to memory of 2292	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 4400 wrote to memory of 2292	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 4400 wrote to memory of 2292	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe
PID 4400 wrote to memory of 2292	4400	f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe
"C:\Users\Admin\AppData\Local\Temp\f5d2f36d2eb3da932a44aa413182a18d6b3d47d11346d9943c37ab907daf4b09.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1qlhcnjr\1qlhcnjr.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCBB.tmp" "c:\Users\Admin\AppData\Local\Temp\1qlhcnjr\CSCB06D990FFE0D43538D150ACE6FA82BA.TMP"
3⤵
PID:912

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:2292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1qlhcnjr\1qlhcnjr.dll

Filesize
16KB

MD5
1addb3fa88caac9f898d2f0fd586a4f0

SHA1
03efa23047fb10232393ff490062f2b7440cbca4

SHA256
4577ea4734eaddeedad59c7c167392c09f9f0b79d41584e7ee23f11ed5cdd449

SHA512
8956d3930c4d9b5bdc3cffa98eb18be7d1950100eb7fd15e5028ea36ee111e36ba389a50b37a1fe1e986e714dbed19ec35b63c9d4ee3bb0f9712e456165b52a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qlhcnjr\1qlhcnjr.pdb

Filesize
53KB

MD5
3bc973162d1e801cb470b7adf5ea972e

SHA1
5b6dea6c74b4d3239befc7606a136c20b13fdcb8

SHA256
a348bf370beb9706186c2defc1f23a8997976b8bdcb9b31800996eb5a2d4dd2b

SHA512
c3bd78c89f686ac5a0b2b40bacda66d40ef584c7442ee7931fff7f29c997869b7aec9fd3930826e9cf9e683b280a5bb6875aeb44a6486d4cc0a2ce6cb7971488

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCCBB.tmp

Filesize
1KB

MD5
9dfdb23f0c81de993ec4229e167810d8

SHA1
5d6b1176cbed6686fdaf087d158d07c2f2fa1531

SHA256
01fc92d436d4707f77819197fb15a7b4a291f9ba1b12ab16bb0b0e627cb268af

SHA512
f6829d9ca8259dfd5529519e873a77bd7c3b33e4cbe2c3ecc123b6e0417b8d64cb17309b2495791adbaecf8798c4b85649ee4aec1cfaed4d5b75ea8785bc262d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qlhcnjr\1qlhcnjr.0.cs

Filesize
35KB

MD5
6a193dcb503eb4a81f57d4dd4fa7c72d

SHA1
0c9474a3ffa21c5cf70016671fc9935e2a4e94c4

SHA256
799afe1cbd6ca7c97013068a78be107b9cbabe3e84d7dd33c181aee5948224f3

SHA512
e6296f733e562dee2e1c087a039c6d9273a7035e95bf348eb79161c6b8ab85c66ef0c5cb53f9eb70c84b8ad417d556e243538a555f39494b213e8e314009d9e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qlhcnjr\1qlhcnjr.cmdline

Filesize
312B

MD5
c67f248d054fd4410f38657c5ef1d440

SHA1
a4e5f1708e4b6e9cbc8154c4c2aa82d410208bf4

SHA256
9d6902966db741a5276426e4ddf9e3042e3d37ed1c2f1a7e507aa5de1a321ea0

SHA512
2890d187adf5071f416f9901fc9a8a38cfceeb5877a00b4d6b992b3ac328e9ce8de753a59dd35ad25574d991b6a652a48c854b12f7965017fec394438b0c3533

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qlhcnjr\CSCB06D990FFE0D43538D150ACE6FA82BA.TMP

Filesize
1KB

MD5
d3bdd13f12673e1d5a92e6c7fa550166

SHA1
5a3fff7b1ebad2b92a52b7db550d98316b87fd65

SHA256
552e8f301abdd54efb7803da19f9f01907918d2d12fba9b9b0bc7ebd835a6bbe

SHA512
e7a397b1c8c353409b0f246dd4f96cb3650c7ff2f023ed53ad3fdf34a9cd04cdb443570456032f0a0b3f683f93cc4b269df9a39f68fe10c2ffd66698a24e6259

Download Submit
memory/912-134-0x0000000000000000-mapping.dmp

Download
memory/2292-141-0x0000000000000000-mapping.dmp

Download
memory/2292-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2292-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2292-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4316-131-0x0000000000000000-mapping.dmp

Download
memory/4400-130-0x0000000000E70000-0x0000000000EB6000-memory.dmp

Filesize
280KB

Download
memory/4400-139-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/4400-140-0x0000000005FA0000-0x000000000603C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads