netwire | dca25d35ee7ac4e3358051e5b14104eb74606ba7eb736774bf9e36ee46856772

Analysis

max time kernel
1s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.95f89cbdd9bd5d81dd4cdb671a9d12c9.exe
Size

1.3MB
MD5

95f89cbdd9bd5d81dd4cdb671a9d12c9
SHA1

8401397d5d4e12d8fe714580237d979f8a142d37
SHA256

dca25d35ee7ac4e3358051e5b14104eb74606ba7eb736774bf9e36ee46856772
SHA512

6d0edb8b01ebabffd7d549eed9330ea6ced8224080565754de740cb24359ed401df25a2c7b4e182784135c6229d91d9a67348d3211142f0c44946533a391104c
SSDEEP

24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWYr:8u0c++OCvkGs9Fa+rd1f26RaYr

Score

10^/10

netwire warzonerat botnet infostealer rat stealer

Malware Config

Extracted

Family

netwire

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

wealth.warzonedns.com:5202

Signatures

NetWire RAT payload 22 IoCs

rat

resource	yara_rule
behavioral2/files/0x0006000000022e22-4.dat	netwire
behavioral2/files/0x0006000000022e22-7.dat	netwire
behavioral2/files/0x0006000000022e22-6.dat	netwire
behavioral2/files/0x0006000000022e25-11.dat	netwire
behavioral2/memory/2916-12-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/files/0x0006000000022e25-10.dat	netwire
behavioral2/memory/1380-26-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/files/0x0006000000022e27-27.dat	netwire
behavioral2/files/0x0006000000022e27-28.dat	netwire
behavioral2/files/0x0006000000022e22-35.dat	netwire
behavioral2/files/0x0006000000022e27-44.dat	netwire
behavioral2/files/0x0006000000022e22-49.dat	netwire
behavioral2/memory/4276-50-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1380-51-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4276-52-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/files/0x0006000000022e27-60.dat	netwire
behavioral2/files/0x0006000000022e22-61.dat	netwire
behavioral2/files/0x0006000000022e27-71.dat	netwire
behavioral2/memory/1224-77-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/files/0x0006000000022e27-91.dat	netwire
behavioral2/files/0x0006000000022e22-92.dat	netwire
behavioral2/files/0x0006000000022e27-101.dat	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 7 IoCs

rat

resource	yara_rule
behavioral2/memory/1036-13-0x0000000000190000-0x00000000001AD000-memory.dmp	warzonerat
behavioral2/memory/1036-22-0x0000000000190000-0x00000000001AD000-memory.dmp	warzonerat
behavioral2/memory/4260-36-0x00000000012B0000-0x00000000012CD000-memory.dmp	warzonerat
behavioral2/memory/4260-45-0x00000000012B0000-0x00000000012CD000-memory.dmp	warzonerat
behavioral2/memory/4996-72-0x0000000000230000-0x000000000024D000-memory.dmp	warzonerat
behavioral2/memory/4996-63-0x0000000000230000-0x000000000024D000-memory.dmp	warzonerat
behavioral2/memory/4384-93-0x0000000000160000-0x000000000017D000-memory.dmp	warzonerat

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0006000000022e27-27.dat	autoit_exe
behavioral2/files/0x0006000000022e27-28.dat	autoit_exe
behavioral2/files/0x0006000000022e27-44.dat	autoit_exe
behavioral2/files/0x0006000000022e27-60.dat	autoit_exe
behavioral2/files/0x0006000000022e27-71.dat	autoit_exe
behavioral2/files/0x0006000000022e27-91.dat	autoit_exe
behavioral2/files/0x0006000000022e27-101.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3384	schtasks.exe
1760	schtasks.exe
3892	schtasks.exe
4068	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.95f89cbdd9bd5d81dd4cdb671a9d12c9.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.95f89cbdd9bd5d81dd4cdb671a9d12c9.exe"
1⤵
PID:4168
- C:\Users\Admin\AppData\Roaming\Blasthost.exe
  "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
  2⤵
  PID:2916
- - C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
    "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
    3⤵
    PID:1380
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\NEAS.95f89cbdd9bd5d81dd4cdb671a9d12c9.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.95f89cbdd9bd5d81dd4cdb671a9d12c9.exe"
  2⤵
  PID:1036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2312

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
1⤵
PID:4068
- C:\Users\Admin\AppData\Roaming\Blasthost.exe
  "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
  2⤵
  PID:4276
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:3892
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
  2⤵
  PID:4260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2132

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
1⤵
PID:4440
- C:\Users\Admin\AppData\Roaming\Blasthost.exe
  "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
  2⤵
  PID:1224
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4068
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
  2⤵
  PID:4996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2228

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
1⤵
PID:3380
- C:\Users\Admin\AppData\Roaming\Blasthost.exe
  "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
  2⤵
  PID:3940
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
  2⤵
  PID:4384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:4664
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.3MB

MD5
9850f67aa3ae0622142e6c76c1f0ddf5

SHA1
dc77c5484720cff94b08b5608c07ec404ec2f278

SHA256
4d15a751d708f8671d96b2778a0372e7a2e1345dfa1ea4102a3fef061ded5072

SHA512
e335822d9293616a095d02696ee5f7d9939a930303db61095996948e2ff440fdee4fe87795fbe3e8c792cf9c9fa713d919f26a57096e5c06d7eb155bf9ce39fc

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.3MB

MD5
9850f67aa3ae0622142e6c76c1f0ddf5

SHA1
dc77c5484720cff94b08b5608c07ec404ec2f278

SHA256
4d15a751d708f8671d96b2778a0372e7a2e1345dfa1ea4102a3fef061ded5072

SHA512
e335822d9293616a095d02696ee5f7d9939a930303db61095996948e2ff440fdee4fe87795fbe3e8c792cf9c9fa713d919f26a57096e5c06d7eb155bf9ce39fc

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.3MB

MD5
9850f67aa3ae0622142e6c76c1f0ddf5

SHA1
dc77c5484720cff94b08b5608c07ec404ec2f278

SHA256
4d15a751d708f8671d96b2778a0372e7a2e1345dfa1ea4102a3fef061ded5072

SHA512
e335822d9293616a095d02696ee5f7d9939a930303db61095996948e2ff440fdee4fe87795fbe3e8c792cf9c9fa713d919f26a57096e5c06d7eb155bf9ce39fc

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.3MB

MD5
9850f67aa3ae0622142e6c76c1f0ddf5

SHA1
dc77c5484720cff94b08b5608c07ec404ec2f278

SHA256
4d15a751d708f8671d96b2778a0372e7a2e1345dfa1ea4102a3fef061ded5072

SHA512
e335822d9293616a095d02696ee5f7d9939a930303db61095996948e2ff440fdee4fe87795fbe3e8c792cf9c9fa713d919f26a57096e5c06d7eb155bf9ce39fc

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.3MB

MD5
9850f67aa3ae0622142e6c76c1f0ddf5

SHA1
dc77c5484720cff94b08b5608c07ec404ec2f278

SHA256
4d15a751d708f8671d96b2778a0372e7a2e1345dfa1ea4102a3fef061ded5072

SHA512
e335822d9293616a095d02696ee5f7d9939a930303db61095996948e2ff440fdee4fe87795fbe3e8c792cf9c9fa713d919f26a57096e5c06d7eb155bf9ce39fc

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.3MB

MD5
9850f67aa3ae0622142e6c76c1f0ddf5

SHA1
dc77c5484720cff94b08b5608c07ec404ec2f278

SHA256
4d15a751d708f8671d96b2778a0372e7a2e1345dfa1ea4102a3fef061ded5072

SHA512
e335822d9293616a095d02696ee5f7d9939a930303db61095996948e2ff440fdee4fe87795fbe3e8c792cf9c9fa713d919f26a57096e5c06d7eb155bf9ce39fc

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.3MB

MD5
9850f67aa3ae0622142e6c76c1f0ddf5

SHA1
dc77c5484720cff94b08b5608c07ec404ec2f278

SHA256
4d15a751d708f8671d96b2778a0372e7a2e1345dfa1ea4102a3fef061ded5072

SHA512
e335822d9293616a095d02696ee5f7d9939a930303db61095996948e2ff440fdee4fe87795fbe3e8c792cf9c9fa713d919f26a57096e5c06d7eb155bf9ce39fc

Download Submit
memory/1036-13-0x0000000000190000-0x00000000001AD000-memory.dmp

Filesize
116KB

Download
memory/1036-22-0x0000000000190000-0x00000000001AD000-memory.dmp

Filesize
116KB

Download
memory/1224-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1380-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1380-51-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2132-46-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/2228-73-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/2312-24-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2916-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4168-16-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4260-45-0x00000000012B0000-0x00000000012CD000-memory.dmp

Filesize
116KB

Download
memory/4260-36-0x00000000012B0000-0x00000000012CD000-memory.dmp

Filesize
116KB

Download
memory/4276-52-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4276-50-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4384-93-0x0000000000160000-0x000000000017D000-memory.dmp

Filesize
116KB

Download
memory/4996-63-0x0000000000230000-0x000000000024D000-memory.dmp

Filesize
116KB

Download
memory/4996-72-0x0000000000230000-0x000000000024D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads