netwire | 11084f0e466c6e14a898cd1e806dcfddc4ae3c7819a617c3d0a54490989ba559

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbd1ce2a74f6e12fa21e8aeb3bb55682.exe
Size

1.3MB
MD5

bbd1ce2a74f6e12fa21e8aeb3bb55682
SHA1

a33778d7cfb8f2a1108e96a61cffe513d3e2474d
SHA256

11084f0e466c6e14a898cd1e806dcfddc4ae3c7819a617c3d0a54490989ba559
SHA512

696ed4730398ceb40dcb24b31c6cdc7b275e9847c931cceecd148ade23e98f1d33c940a6937ab91077bab6bf741b518a30be4c69443d65ddaec8e7dd6e32d6cc
SSDEEP

24576:oNVMrtDwm6k97VERFo9SZL2g3i/gs89UrmMnfk/iQ2+S0d:oArtDp99ZUkSZLHi/gsaU9fk/Pj

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

night90.ddns.net:8999

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
New-stub
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
soHOGwSb
offline_keylogger
true
password
teamoluwa1
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/624-23-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/624-24-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/624-26-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/624-33-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/624-37-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/624-39-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2764-52-0x00000000024A0000-0x00000000024E0000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2812 set thread context of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2280	624	WerFault.exe	37

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2764	powershell.exe
1932	powershell.exe
2096	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2764	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	30
PID 2812 wrote to memory of 2764	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	30
PID 2812 wrote to memory of 2764	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	30
PID 2812 wrote to memory of 2764	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	30
PID 2812 wrote to memory of 2096	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	32
PID 2812 wrote to memory of 2096	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	32
PID 2812 wrote to memory of 2096	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	32
PID 2812 wrote to memory of 2096	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	32
PID 2812 wrote to memory of 680	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	34
PID 2812 wrote to memory of 680	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	34
PID 2812 wrote to memory of 680	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	34
PID 2812 wrote to memory of 680	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	34
PID 2812 wrote to memory of 1932	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	36
PID 2812 wrote to memory of 1932	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	36
PID 2812 wrote to memory of 1932	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	36
PID 2812 wrote to memory of 1932	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	36
PID 2812 wrote to memory of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37
PID 2812 wrote to memory of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37
PID 2812 wrote to memory of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37
PID 2812 wrote to memory of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37
PID 2812 wrote to memory of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37
PID 2812 wrote to memory of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37
PID 2812 wrote to memory of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37
PID 2812 wrote to memory of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37
PID 2812 wrote to memory of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37
PID 2812 wrote to memory of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37
PID 2812 wrote to memory of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37
PID 2812 wrote to memory of 624	2812	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	37
PID 624 wrote to memory of 2280	624	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	39
PID 624 wrote to memory of 2280	624	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	39
PID 624 wrote to memory of 2280	624	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	39
PID 624 wrote to memory of 2280	624	bbd1ce2a74f6e12fa21e8aeb3bb55682.exe	39

C:\Users\Admin\AppData\Local\Temp\bbd1ce2a74f6e12fa21e8aeb3bb55682.exe
"C:\Users\Admin\AppData\Local\Temp\bbd1ce2a74f6e12fa21e8aeb3bb55682.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bbd1ce2a74f6e12fa21e8aeb3bb55682.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ASaaURY.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ASaaURY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ASaaURY.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\bbd1ce2a74f6e12fa21e8aeb3bb55682.exe
  "C:\Users\Admin\AppData\Local\Temp\bbd1ce2a74f6e12fa21e8aeb3bb55682.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 140
    3⤵
    - Program crash
    PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp92ED.tmp

Filesize
1KB

MD5
fbb49540fa0c736ff39143efe701493b

SHA1
a83f09f322c6d0741d89a0d44cd88c904b2ce823

SHA256
4285319046f91dac09109d75f437d2ca9125e668e26c3e1cec31284c6d16b56c

SHA512
5601f4a68acede8b09d9a88c451919d4cae43eb35912321085182b8694617c2cfbc9185e17bc40a9809e803a3c786ac880a5c2241119b01ea15967ceda5a35e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y444KCJKKYYR5OOK025Q.temp

Filesize
7KB

MD5
2e0e216de02c83c3fb65d00f5a062e3e

SHA1
6da69f87a7ae6c43c5ebd1a79711131209e8e4d8

SHA256
881a98cbf0bb68a88e89d624f62ec8215d5c24ee48779b3718d7b3625e76cbad

SHA512
e7418cf232885b48b1c657f9cddfd76bb9c698fa8b9fbb5905d94ede8790401cfb162bdc2fe4367d75d05fa5671162cb62d5b9dc2be32333063ee3a304db6382

Download Submit
memory/624-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/624-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/624-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-53-0x000000006ED80000-0x000000006F32B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-47-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/1932-48-0x000000006ED80000-0x000000006F32B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-41-0x000000006ED80000-0x000000006F32B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-55-0x000000006ED80000-0x000000006F32B000-memory.dmp

Filesize
5.7MB

Download
memory/2096-44-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2096-49-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2096-51-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2096-46-0x000000006ED80000-0x000000006F32B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-50-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/2764-52-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/2764-54-0x000000006ED80000-0x000000006F32B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-45-0x000000006ED80000-0x000000006F32B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-43-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/2764-42-0x000000006ED80000-0x000000006F32B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-0-0x0000000000070000-0x00000000001C2000-memory.dmp

Filesize
1.3MB

Download
memory/2812-3-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/2812-5-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/2812-4-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-6-0x000000000C240000-0x000000000C2E2000-memory.dmp

Filesize
648KB

Download
memory/2812-7-0x00000000041C0000-0x00000000041FA000-memory.dmp

Filesize
232KB

Download
memory/2812-40-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-1-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-2-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download