netwire | 5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08

General

Target

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe
Size

174KB
MD5

674de5033c26c516ac745e1568baf9c0
SHA1

e1b2f7cc184073d89fb8ac05b944a333e94b8874
SHA256

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08
SHA512

025b51f00fdffc79834b39e8e0d994c16e86247ca6dd0318a6842d75cba955f1f0e49bc7c7beb8911c5951684956f6e87bc0427fa1281a14dff5225824bf0132

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4720-142-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4720-144-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4720-145-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

description	pid	process	target process
PID 1508 set thread context of 4720	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

pid	process
1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe
1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

description pid process

Token: SeDebugPrivilege 1508 5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

description	pid	process
Token: SeDebugPrivilege	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.execsc.exe

description	pid	process	target process
PID 1508 wrote to memory of 2640	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	csc.exe
PID 1508 wrote to memory of 2640	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	csc.exe
PID 1508 wrote to memory of 2640	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	csc.exe
PID 2640 wrote to memory of 1288	2640	csc.exe	cvtres.exe
PID 2640 wrote to memory of 1288	2640	csc.exe	cvtres.exe
PID 2640 wrote to memory of 1288	2640	csc.exe	cvtres.exe
PID 1508 wrote to memory of 4720	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1508 wrote to memory of 4720	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1508 wrote to memory of 4720	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1508 wrote to memory of 4720	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1508 wrote to memory of 4720	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1508 wrote to memory of 4720	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1508 wrote to memory of 4720	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1508 wrote to memory of 4720	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1508 wrote to memory of 4720	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe
PID 1508 wrote to memory of 4720	1508	5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe
"C:\Users\Admin\AppData\Local\Temp\5d21171ecf13da2d916177489bc0ff4f9ce43c32f91e1ac0d6d4e790d3c67f08.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ybdoc0zm\ybdoc0zm.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF08.tmp" "c:\Users\Admin\AppData\Local\Temp\ybdoc0zm\CSCE0C9D78B9514EBAAB8249D8A34F1FD0.TMP"
3⤵
PID:1288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:4720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEF08.tmp

Filesize
1KB

MD5
7547a5df17f0313b9bdfd92ce249db69

SHA1
96cb20baf639968aaa0b5266852f8d52fbf02b32

SHA256
53fe7584eeb0978e02784215d2966b274460212421c3a3fbe1d68479a0719aac

SHA512
ad98ee690e148e1451783275841b1d60eb4f00b5b15f48d6fd51ddb01c556fe68c711fbd37135cb7e55453da66b511e071d74634a0da1b6d15900e7e1e0dd9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybdoc0zm\ybdoc0zm.dll

Filesize
6KB

MD5
e06ba20ea629a511bba7251bdab26b1a

SHA1
4e1ae9d10c6f4396d741dcaf2d96133877df48d9

SHA256
16c08b9d3eb2efef2ed35d0c424ab6e62896e0ca65bedd2552cc565e1fc6ae5e

SHA512
750cfdf5dc5a9631d3ee200c3409d8dee96a6e260f823db9282825fdcdaaa972b1c0967173580e7af415ad86e31fbd0bb0706b0eb72d04cfc094cc9f0d9e88a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybdoc0zm\ybdoc0zm.pdb

Filesize
19KB

MD5
f1ea575ed6aed7029906a5f5cb814ff6

SHA1
b14dcc4c68668f8d4ecc6f9e9be49df5c052a6fb

SHA256
6137e350086582b1826403940927bac33a62df628e8c360f2de253f018ee59e3

SHA512
b9f75363dd9223d2df0f81743a0a1c22f44126bc28dff410a77eeeb5832138e52123b7a0b873ae54d864be367f88e4c005b81b49f3bb164a43ded11985b9ef09

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ybdoc0zm\CSCE0C9D78B9514EBAAB8249D8A34F1FD0.TMP

Filesize
1KB

MD5
69442fee3a3114d3117c7cfa154bebcf

SHA1
dcb23f84f0364937e7fa9b643459537560745a69

SHA256
7c02f08d3435f474b3e6712dcce982863242b35bc4bd309e86299762f4c53606

SHA512
e6cde924cc9f7e709568e5f6ecc3fca078a64b207e4ce5bd74fca9d5f28d4590eed57cafa5313d87e9b3ccd9308238c48e269f0b052d021f37d9cce64aa8a11c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ybdoc0zm\ybdoc0zm.0.cs

Filesize
3KB

MD5
0a91820596a9cda9284d89f2472e0228

SHA1
41481ca2924be78d9c43042877ee313bf6321222

SHA256
993be85d24ada45551e1d2e4bc696a635ad2977470ba26c5c7c0a67b7c4037fd

SHA512
99e8a905e7c17be7dd535671f5685227cce6ce4c7d445c7c03f6b58fe01894e5da6a39e51ed24d9efe31e34c9c9e004b0ddb8fe11218740d30d0ec62dad131e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ybdoc0zm\ybdoc0zm.cmdline

Filesize
312B

MD5
89c1a5b3741cda55876d0f500b884e65

SHA1
b1d83b6fac6823d15ba79d84f112319eb02f16b3

SHA256
d8d88146764f0239cafd93d9b06a5a2441a5c453a91359e37aafc3e103862e97

SHA512
5f26608593e33755c2e291e23a8dc77350c8e0076d77ea06f49f7677273bd13421b71a375ccbd6d54c27c75f912d1379d6075bb2f2013ec23875a0cff52a5ef4

Download Submit
memory/1288-134-0x0000000000000000-mapping.dmp

Download
memory/1508-130-0x0000000000E50000-0x0000000000E80000-memory.dmp

Filesize
192KB

Download
memory/1508-139-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/1508-140-0x0000000005F50000-0x0000000005FEC000-memory.dmp

Filesize
624KB

Download
memory/2640-131-0x0000000000000000-mapping.dmp

Download
memory/4720-141-0x0000000000000000-mapping.dmp

Download
memory/4720-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4720-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4720-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads