netwire | 5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08

General

Target

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe
Size

174KB
MD5

674de5033c26c516ac745e1568baf9c0
SHA1

e1b2f7cc184073d89fb8ac05b944a333e94b8874
SHA256

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08
SHA512

025b51f00fdffc79834b39e8e0d994c16e86247ca6dd0318a6842d75cba955f1f0e49bc7c7beb8911c5951684956f6e87bc0427fa1281a14dff5225824bf0132

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1480-67-0x0000000000E00000-0x0000000000E2C000-memory.dmp	netwire
behavioral1/memory/1820-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1820-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1820-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1820-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1820-78-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1820-81-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1820-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1820-83-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

description	pid	process	target process
PID 1480 set thread context of 1820	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

pid	process
1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe
1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

description pid process

Token: SeDebugPrivilege 1480 5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

description	pid	process
Token: SeDebugPrivilege	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.execsc.exe

description	pid	process	target process
PID 1480 wrote to memory of 1736	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	csc.exe
PID 1480 wrote to memory of 1736	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	csc.exe
PID 1480 wrote to memory of 1736	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	csc.exe
PID 1480 wrote to memory of 1736	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	csc.exe
PID 1736 wrote to memory of 1860	1736	csc.exe	cvtres.exe
PID 1736 wrote to memory of 1860	1736	csc.exe	cvtres.exe
PID 1736 wrote to memory of 1860	1736	csc.exe	cvtres.exe
PID 1736 wrote to memory of 1860	1736	csc.exe	cvtres.exe
PID 1480 wrote to memory of 1820	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1480 wrote to memory of 1820	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1480 wrote to memory of 1820	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1480 wrote to memory of 1820	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1480 wrote to memory of 1820	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1480 wrote to memory of 1820	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1480 wrote to memory of 1820	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1480 wrote to memory of 1820	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1480 wrote to memory of 1820	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1480 wrote to memory of 1820	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1480 wrote to memory of 1820	1480	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe
"C:\Users\Admin\AppData\Local\Temp\5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yd4lwbdk\yd4lwbdk.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2A4.tmp" "c:\Users\Admin\AppData\Local\Temp\yd4lwbdk\CSCC5EBE43237A640F1871FDC495B6E91D8.TMP"
3⤵
PID:1860

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC2A4.tmp
Filesize
1KB

MD5
52a1a75c059009b7e8d88b20b41c0d2f

SHA1
94fede71936fbf50b0df01f10aa77b4fbee9692e

SHA256
dfe997cdf9fa284ee5d82a28eb5951cc271f2cdd0e10249b1da3e9e9d76fabd4

SHA512
6cf5163b4f922c198309a64e1725c210e09d175e9f3b64ca8e3e484651eae8fb4ad4fd14cad7ae69e8f11388280639ebc568ad041c89efc2e492999ece13a96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yd4lwbdk\yd4lwbdk.dll
Filesize
6KB

MD5
6274430d6bee1a3cbcef8f2348716d3f

SHA1
5150376cc61d0dcb49a465845d0a852dc3471ebd

SHA256
14740d33e8bd71990f828775a00e0de95228e1e09c3b99774263c0be8efa7e8a

SHA512
e8d56b36c6506f95596519741d567ff060045856a6be628cf1b87af98f7fd81c3082b5630df770c29d60cd4d0a7ae8029e893e716bd83778faaa6d4a693a8a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\yd4lwbdk\yd4lwbdk.pdb
Filesize
19KB

MD5
2dfc85414b25f6c19d7b91173d6c882e

SHA1
e84e8d8aa0a5a83e5160befdbe9b0ccfead984f7

SHA256
de2c49eba3469c5d626a2d7d99209d9f1790b88954aec87ff4f9448220947b66

SHA512
b03fef1e459ae623ff91e53d3885841e870309bbd923dd1cd92cb64a1421d67277dd46160d2d179fcbbff7b2ab35f81663fae909dbd22dc8ba197b349efa9afc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yd4lwbdk\CSCC5EBE43237A640F1871FDC495B6E91D8.TMP
Filesize
1KB

MD5
06bf7ca0e4bd6b39f1221c9547564587

SHA1
d1d9aee5dcbb3c4ba3e6f542fff0ce0284d0d8bc

SHA256
d73043bd857ae18a8b9698214d5a78fe48743ef7913d57800ab49cc74b9a7702

SHA512
a47c6660af069ef8001f741e4eddba60fe4c39c33bbfa14a8984d26dd3f0e3bfb0e81a26a455fa9e62a84f5f24df478799d37fc12bb1cb0a8e20bcdd58101306

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yd4lwbdk\yd4lwbdk.0.cs
Filesize
3KB

MD5
0a91820596a9cda9284d89f2472e0228

SHA1
41481ca2924be78d9c43042877ee313bf6321222

SHA256
993be85d24ada45551e1d2e4bc696a635ad2977470ba26c5c7c0a67b7c4037fd

SHA512
99e8a905e7c17be7dd535671f5685227cce6ce4c7d445c7c03f6b58fe01894e5da6a39e51ed24d9efe31e34c9c9e004b0ddb8fe11218740d30d0ec62dad131e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yd4lwbdk\yd4lwbdk.cmdline
Filesize
312B

MD5
f48de7dc657178b64b11bacb7234668d

SHA1
f4af0d2e2c270877fea201964064f99b69a8d694

SHA256
7bb023e455194bdc9f93ad8df66111ca48b5f72d79a08d4af4670d664d6b5b25

SHA512
97476c07330f1b6c98ca0039528a88737873f839d5f9cd399b867c187ccda965e787ec88e86ae8f55a965c2e5a3ff962b94866ded0b69be34c8992b9f0a3dd6e

Download Submit
memory/1480-66-0x0000000076311000-0x0000000076313000-memory.dmp

Filesize
8KB

Download
memory/1480-67-0x0000000000E00000-0x0000000000E2C000-memory.dmp

Filesize
176KB

Download
memory/1480-63-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/1480-64-0x0000000000CB0000-0x0000000000CE2000-memory.dmp

Filesize
200KB

Download
memory/1480-65-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/1480-54-0x0000000001370000-0x00000000013A0000-memory.dmp

Filesize
192KB

Download
memory/1736-55-0x0000000000000000-mapping.dmp

Download
memory/1820-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1820-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1820-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1820-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1820-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1820-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1820-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1820-78-0x0000000000402BCB-mapping.dmp

Download
memory/1820-81-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1820-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1820-83-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1860-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads