netwire | 7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650

General

Target

7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe
Size

257KB
MD5

d699e0316ff32d7b7d551ad6abface4c
SHA1

789f7e7ada8f769ac4709a74cf16c2a086f595e9
SHA256

7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650
SHA512

e8d35c8acd950fcc3d81eb5a3b1047723d68b5de8906d825787ab87add3796abe700271fb666190732538e740b345c60a3a5fce8d0f79ac210abdcd536fc9fd1
SSDEEP

6144:5V6vBUSGrwSKVICKku8IF0j0KngiDyP5/x3:5VvSGrwSKqbF8IF08iuP/3

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2024-67-0x0000000000BF0000-0x0000000000C1C000-memory.dmp	netwire
behavioral1/memory/1132-74-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1132-76-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1132-73-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1132-78-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1132-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1132-81-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1132-82-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVnkRn.url	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe

description	pid	process	target process
PID 2024 set thread context of 1132	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe

pid	process
2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe
2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe

description pid process

Token: SeDebugPrivilege 2024 7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe

description	pid	process
Token: SeDebugPrivilege	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.execsc.exe

description	pid	process	target process
PID 2024 wrote to memory of 1736	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	csc.exe
PID 2024 wrote to memory of 1736	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	csc.exe
PID 2024 wrote to memory of 1736	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	csc.exe
PID 2024 wrote to memory of 1736	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	csc.exe
PID 1736 wrote to memory of 548	1736	csc.exe	cvtres.exe
PID 1736 wrote to memory of 548	1736	csc.exe	cvtres.exe
PID 1736 wrote to memory of 548	1736	csc.exe	cvtres.exe
PID 1736 wrote to memory of 548	1736	csc.exe	cvtres.exe
PID 2024 wrote to memory of 1132	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	vbc.exe
PID 2024 wrote to memory of 1132	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	vbc.exe
PID 2024 wrote to memory of 1132	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	vbc.exe
PID 2024 wrote to memory of 1132	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	vbc.exe
PID 2024 wrote to memory of 1132	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	vbc.exe
PID 2024 wrote to memory of 1132	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	vbc.exe
PID 2024 wrote to memory of 1132	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	vbc.exe
PID 2024 wrote to memory of 1132	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	vbc.exe
PID 2024 wrote to memory of 1132	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	vbc.exe
PID 2024 wrote to memory of 1132	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	vbc.exe
PID 2024 wrote to memory of 1132	2024	7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe
"C:\Users\Admin\AppData\Local\Temp\7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iaijrm0z\iaijrm0z.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E55.tmp" "c:\Users\Admin\AppData\Local\Temp\iaijrm0z\CSC4BEE79EBC6CD4657AEBA3ADF9FDAF753.TMP"
3⤵
PID:548

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7E55.tmp
Filesize
1KB

MD5
968418044cab14e114b27aee14f5fb4e

SHA1
70c3fc3ada047fa055d910ef31a5512935aa2dfa

SHA256
338e3369250deb7c8437c03f73d33bbb48bbe0d77893703072b0d05f79b4631b

SHA512
19b5c4d7c5f37d193043a7c785e250a6d90417fe2a91f69a5894c100a8f8325d92f075362dd884067e161eaf8b6cac92d624c0667c1cc42d56b467898e8202b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iaijrm0z\iaijrm0z.dll
Filesize
17KB

MD5
dc016f638da5688e2df582be33b77dce

SHA1
f7f524b5745a097972ebd959ec0b9a0e07f5caef

SHA256
c231e45224ed869f760ee68a38af04c619ddf3cf3ba7e7b9bf38c5862e27dbff

SHA512
67aefcb98723679e97e9be78c77a2eaa7f653bacb5884ef61582566b275b93a434cfe4cc4e5bb63f31bbb5e5665ea5056ec20bbc086a70e3dc3f9231839e47e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iaijrm0z\iaijrm0z.pdb
Filesize
53KB

MD5
ac7f96b86c83919fab84118160d952de

SHA1
40ca47c32423e4881cd6648ac6bf877b4db3f936

SHA256
4988a5869d0af787f60d720960b20d425332b4030294f9b893c73137815b97ef

SHA512
0f961225bb1ef3da45eb00661bd771d6f2bbbfd3542bb069ebf3fae124b4da5962bbe61013864f388b52f63e7c3f1742235e541868f900bb2333fa060ca1346f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iaijrm0z\CSC4BEE79EBC6CD4657AEBA3ADF9FDAF753.TMP
Filesize
1KB

MD5
c287517dbce9065d94f288beca815fae

SHA1
b8d30a95e03f33f94f69637bb08c17d417545d82

SHA256
afde726ae654a16032062a0be22fd1115e6e0a6d21b3a11dc4a067d1c60099b0

SHA512
eb3cf5a5c49e33bcb6cab5ef914f9141d422cef931f8bb5a89b35debc9d9283741d2692714bf3319ff864129bd264c7bc280c75053dabec3a5860e367e032876

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iaijrm0z\iaijrm0z.0.cs
Filesize
37KB

MD5
9fafd44315a524486b84e23bedaec8bf

SHA1
0d2820c6a0d71d57200dccafa2c6fb421269f2ec

SHA256
549faa466584fa74103c11227ef0b811cf96bda2d27b5c1c53fc2f053e96db74

SHA512
e5f2023c15f49f7758d11972e4edf00731956cf69b0b52df6a1bed00dbe756ce87b1a76af9c7dacd3abdae374da8452d6c9790f5e1ebee4ceee9c74e23778280

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iaijrm0z\iaijrm0z.cmdline
Filesize
312B

MD5
e28c9e24e0790b7e9def5e979882c4d0

SHA1
38257a484b3a8f32450728a1e2c2f6cf7c369b71

SHA256
dc68de6671d8a16da27bee81043f369528c51b5211c5dfb2c3cf814dc1754d80

SHA512
dd2a768b757ea683d7f88dca16dc624e6083f3b5b502d10e95dc995e348806b17afdc91088e27ccc63be6bcc45a0f0ab9d2e1ee3b5d7223088d00aa464dd11e9

Download Submit
memory/548-58-0x0000000000000000-mapping.dmp

Download
memory/1132-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-78-0x0000000000402BCB-mapping.dmp

Download
memory/1132-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-81-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1736-55-0x0000000000000000-mapping.dmp

Download
memory/2024-67-0x0000000000BF0000-0x0000000000C1C000-memory.dmp

Filesize
176KB

Download
memory/2024-54-0x0000000000F40000-0x0000000000F86000-memory.dmp

Filesize
280KB

Download
memory/2024-66-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/2024-65-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2024-64-0x0000000000BC0000-0x0000000000BF2000-memory.dmp

Filesize
200KB

Download
memory/2024-63-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads