netwire | 94f02513d9ba859ff486e5e7514c2ca656d2fc5979576da44d68726d9d03de2d

General

Target

PO20221110-PDF.js
Size

511KB
MD5

abb2c006b96920466b3ccf956f734e3b
SHA1

23ba08441fb0f5bad93a2d258fe72bfb429b1250
SHA256

94f02513d9ba859ff486e5e7514c2ca656d2fc5979576da44d68726d9d03de2d
SHA512

4ebbee2d4d067ab93a05ae12afba09e744a003428169916d93cb47774e66c1eb99f1b9e7627580e844a4c99dc5b22dfefa88c8acc22fa6329f92060ce5a6751c
SSDEEP

12288:X4asKyOMBGvENnL8m4wNTUewr4ZOFQLlvaVHDT73tNBcQmXOFjL3veFL:N56MEZ74BwQJjL3vY

Score

10^/10

netwire vjw0rm botnet rat stealer trojan worm

Malware Config

Extracted

Family

netwire

C2

jspowerone.cloudns.nz:8078

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
DN
install_path
%AppData%\Install\Host.exe
keylogger_dir
TestLink.lnk
lock_executable
false
mutex
wLPvLQMO
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Host DNS.exe	netwire
C:\Users\Admin\AppData\Roaming\Host DNS.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 5 IoCs

Processes:

wscript.exe

flow pid process

6 1480 wscript.exe
7 1480 wscript.exe
9 1480 wscript.exe
11 1480 wscript.exe
12 1480 wscript.exe
Executes dropped EXE 2 IoCs

Processes:

Host DNS.exeHost.exe

pid process

2032 Host DNS.exe
1444 Host.exe

flow	pid	process
6	1480	wscript.exe
7	1480	wscript.exe
9	1480	wscript.exe
11	1480	wscript.exe
12	1480	wscript.exe

pid	process
2032	Host DNS.exe
1444	Host.exe

Drops startup file 3 IoCs

Processes:

wscript.exeHost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YJbkIAqdml.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YJbkIAqdml.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TestLink.lnk	Host.exe

Loads dropped DLL 2 IoCs

Processes:

Host DNS.exeHost.exe

pid process

2032 Host DNS.exe
1444 Host.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2032	Host DNS.exe
1444	Host.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.exeHost DNS.exe

description	pid	process	target process
PID 1504 wrote to memory of 1480	1504	wscript.exe	wscript.exe
PID 1504 wrote to memory of 1480	1504	wscript.exe	wscript.exe
PID 1504 wrote to memory of 1480	1504	wscript.exe	wscript.exe
PID 1504 wrote to memory of 2032	1504	wscript.exe	Host DNS.exe
PID 1504 wrote to memory of 2032	1504	wscript.exe	Host DNS.exe
PID 1504 wrote to memory of 2032	1504	wscript.exe	Host DNS.exe
PID 1504 wrote to memory of 2032	1504	wscript.exe	Host DNS.exe
PID 2032 wrote to memory of 1444	2032	Host DNS.exe	Host.exe
PID 2032 wrote to memory of 1444	2032	Host DNS.exe	Host.exe
PID 2032 wrote to memory of 1444	2032	Host DNS.exe	Host.exe
PID 2032 wrote to memory of 1444	2032	Host DNS.exe	Host.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PO20221110-PDF.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YJbkIAqdml.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1480

C:\Users\Admin\AppData\Roaming\Host DNS.exe
"C:\Users\Admin\AppData\Roaming\Host DNS.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
PID:1444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Host DNS.exe
Filesize
272KB

MD5
93faef710207f7739552b0c60f36f6f2

SHA1
cf4e4425ccea409e2d2eec80ad20088f934bc262

SHA256
8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb

SHA512
80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

Download Submit
C:\Users\Admin\AppData\Roaming\Host DNS.exe
Filesize
272KB

MD5
93faef710207f7739552b0c60f36f6f2

SHA1
cf4e4425ccea409e2d2eec80ad20088f934bc262

SHA256
8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb

SHA512
80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
272KB

MD5
93faef710207f7739552b0c60f36f6f2

SHA1
cf4e4425ccea409e2d2eec80ad20088f934bc262

SHA256
8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb

SHA512
80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
272KB

MD5
93faef710207f7739552b0c60f36f6f2

SHA1
cf4e4425ccea409e2d2eec80ad20088f934bc262

SHA256
8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb

SHA512
80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

Download Submit
C:\Users\Admin\AppData\Roaming\YJbkIAqdml.js
Filesize
10KB

MD5
b2ab4f082c681e45ba19a59c55c2a418

SHA1
46c869e81ab32f5875bd1aedc05e1858d90963d4

SHA256
698ff38f65986350217e7718c792f4d1b540a773718b05d821cfdf2919e9d473

SHA512
fede4f9cfd8abfd9bb4ceef0303874d81edd97015a2e1b1c03fd9147bc320a554f75cd9ece1592fe41d90934bfcfcf53d1ab2c03422861132fb2157be2e16efd

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
272KB

MD5
93faef710207f7739552b0c60f36f6f2

SHA1
cf4e4425ccea409e2d2eec80ad20088f934bc262

SHA256
8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb

SHA512
80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
272KB

MD5
93faef710207f7739552b0c60f36f6f2

SHA1
cf4e4425ccea409e2d2eec80ad20088f934bc262

SHA256
8421c842d964e5eb8fd7964f29c4ed2f5d7d0f3591f8e5738b6f066037b5eabb

SHA512
80b4171d2e42d38f6c7dcfa186427ffc59f1ef7c4f52690cca0394cd7fc988da480dbda1c87b1516ac730424c508088201dddd3b4a26ad1c2de9a536a06c5090

Download Submit
memory/1444-63-0x0000000000000000-mapping.dmp

Download
memory/1480-55-0x0000000000000000-mapping.dmp

Download
memory/1504-54-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp

Filesize
8KB

Download
memory/2032-57-0x0000000000000000-mapping.dmp

Download
memory/2032-59-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads