netwire | acad4a9863d251bbb0f2724c743e0c2b51d953db7dff041db7a0ae6f607622f8

General

Target

ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe
Size

424KB
MD5

a809c41d8589013933ed759fe1b8f4fb
SHA1

1d8b8ed7e1577d314b307a39d77b51d98cde8567
SHA256

acad4a9863d251bbb0f2724c743e0c2b51d953db7dff041db7a0ae6f607622f8
SHA512

721883b08195b40875aba7c150970583845b1677d3158e7d7ccbc751d0203888861056206716ad29c4648297a03f11ca83b61b988d640520868e48018f6b3581
SSDEEP

6144:5ddVrIvYRJOa0tJSyOz6F59AMSIm9/4B/2omAkeKAqfIJyp9V/o9aM:LrI0O1+yO+plGq2TOKA7Ju

Score

10^/10

netwire agilenet botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

moran101.duckdns.org:7011

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
BILLIONS $$
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Naija81,J
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1884-64-0x0000000000A90000-0x0000000000ABC000-memory.dmp	netwire
behavioral1/memory/908-70-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/908-71-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/908-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/908-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/908-75-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/908-79-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/908-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/908-83-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

292 cmd.exe
Drops startup file 1 IoCs

Processes:

cscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trrefghuy.Lnk cscript.exe
Loads dropped DLL 1 IoCs

Processes:

cscript.exe

pid process

1928 cscript.exe

pid	process
292	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trrefghuy.Lnk	cscript.exe

pid	process
1928	cscript.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1884-56-0x0000000000460000-0x00000000004B2000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe

description pid process target process

PID 1884 set thread context of 908 1884 ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1884 set thread context of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.execmd.exe

description	pid	process	target process
PID 1884 wrote to memory of 1928	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	cscript.exe
PID 1884 wrote to memory of 1928	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	cscript.exe
PID 1884 wrote to memory of 1928	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	cscript.exe
PID 1884 wrote to memory of 1928	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	cscript.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 908	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	RegAsm.exe
PID 1884 wrote to memory of 292	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	cmd.exe
PID 1884 wrote to memory of 292	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	cmd.exe
PID 1884 wrote to memory of 292	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	cmd.exe
PID 1884 wrote to memory of 292	1884	ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe	cmd.exe
PID 292 wrote to memory of 276	292	cmd.exe	choice.exe
PID 292 wrote to memory of 276	292	cmd.exe	choice.exe
PID 292 wrote to memory of 276	292	cmd.exe	choice.exe
PID 292 wrote to memory of 276	292	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe
"C:\Users\Admin\AppData\Local\Temp\ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\trrefghuy.vbs
2⤵
- Drops startup file
- Loads dropped DLL
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\ACAD4A9863D251BBB0F2724C743E0C2B51D953DB7DFF0.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\fdrdf.exe
Filesize
424KB

MD5
a809c41d8589013933ed759fe1b8f4fb

SHA1
1d8b8ed7e1577d314b307a39d77b51d98cde8567

SHA256
acad4a9863d251bbb0f2724c743e0c2b51d953db7dff041db7a0ae6f607622f8

SHA512
721883b08195b40875aba7c150970583845b1677d3158e7d7ccbc751d0203888861056206716ad29c4648297a03f11ca83b61b988d640520868e48018f6b3581

Download Submit
C:\Users\Admin\trrefghuy.vbs
Filesize
305B

MD5
7f66348280b1a7fd0e04e6ee8d2d654b

SHA1
05fecea87f6ce22bb708c85c1ff25158470b20dd

SHA256
bca33e8baca3f59f154c57d32dfe5ca5163bc5ac994eee0dc37e940a1cff0f9d

SHA512
c17fe7769b9dac6a079f5fb63fb96f28b54431139d6d64c5cbf6fb16b763252da91238108bab0ed27a9fd4d199d76bca8dd51c9277e16a64622846f8037a5b4b

Download Submit
\Users\Admin\AppData\Roaming\fdrdf.exe
Filesize
424KB

MD5
a809c41d8589013933ed759fe1b8f4fb

SHA1
1d8b8ed7e1577d314b307a39d77b51d98cde8567

SHA256
acad4a9863d251bbb0f2724c743e0c2b51d953db7dff041db7a0ae6f607622f8

SHA512
721883b08195b40875aba7c150970583845b1677d3158e7d7ccbc751d0203888861056206716ad29c4648297a03f11ca83b61b988d640520868e48018f6b3581

Download Submit
memory/276-80-0x0000000000000000-mapping.dmp

Download
memory/292-78-0x0000000000000000-mapping.dmp

Download
memory/908-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/908-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/908-83-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/908-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/908-79-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/908-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/908-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/908-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/908-70-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/908-75-0x0000000000402BCB-mapping.dmp

Download
memory/908-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1884-54-0x0000000000BD0000-0x0000000000C40000-memory.dmp

Filesize
448KB

Download
memory/1884-56-0x0000000000460000-0x00000000004B2000-memory.dmp

Filesize
328KB

Download
memory/1884-64-0x0000000000A90000-0x0000000000ABC000-memory.dmp

Filesize
176KB

Download
memory/1884-55-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/1884-57-0x00000000003E0000-0x0000000000406000-memory.dmp

Filesize
152KB

Download
memory/1884-58-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1928-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads