netwire | 257a617f6233df4361c8c430261293c3d016c4757b03692329a5d078f9eb0a51

Analysis

max time kernel
145s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe
Size

243KB
MD5

0bcdcedca7fbafa1200492139b8e5f0d
SHA1

63c2e2136107950975b8d89ae7d1ae520b05fc3c
SHA256

257a617f6233df4361c8c430261293c3d016c4757b03692329a5d078f9eb0a51
SHA512

932d81552ce1e3194c8fe254a4b5f9f4ba05dabeef6dc4dffdefbbf30893c9b484f611279573934f735acbb07e3a3a15487906f4a963f5816e95cd32a451ba2e
SSDEEP

6144:0puB4nKupg1dRzRATfzf9+yY8B86FL1D55q:DB4Kua1dB+TD9NFB8wLJ55q

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

ddns.catamosky.biz:4886

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
APRIL
install_path
%AppData%\Install\Hostiuj.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
fhYmpchh
offline_keylogger
true
password
Trinidado1@
registry_autorun
true
startup_name
hostiuj
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2704-8-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2704-11-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2704-13-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2540-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2540-33-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2540-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 2 IoCs

pid	Process
2920	Hostiuj.exe
2540	Hostiuj.exe

Loads dropped DLL 3 IoCs

pid	Process
1808	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe
2704	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe
2920	Hostiuj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\hostiuj = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Hostiuj.exe"	Hostiuj.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 2704	1808	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe	28
PID 2920 set thread context of 2540	2920	Hostiuj.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000015653-19.dat	nsis_installer_1
behavioral1/files/0x0007000000015653-19.dat	nsis_installer_2

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1808	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe
2920	Hostiuj.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2704	1808	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe	28
PID 1808 wrote to memory of 2704	1808	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe	28
PID 1808 wrote to memory of 2704	1808	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe	28
PID 1808 wrote to memory of 2704	1808	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe	28
PID 1808 wrote to memory of 2704	1808	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe	28
PID 2704 wrote to memory of 2920	2704	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe	29
PID 2704 wrote to memory of 2920	2704	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe	29
PID 2704 wrote to memory of 2920	2704	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe	29
PID 2704 wrote to memory of 2920	2704	0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe	29
PID 2920 wrote to memory of 2540	2920	Hostiuj.exe	30
PID 2920 wrote to memory of 2540	2920	Hostiuj.exe	30
PID 2920 wrote to memory of 2540	2920	Hostiuj.exe	30
PID 2920 wrote to memory of 2540	2920	Hostiuj.exe	30
PID 2920 wrote to memory of 2540	2920	Hostiuj.exe	30

C:\Users\Admin\AppData\Local\Temp\0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0bcdcedca7fbafa1200492139b8e5f0d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Roaming\Install\Hostiuj.exe
    "C:\Users\Admin\AppData\Roaming\Install\Hostiuj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Roaming\Install\Hostiuj.exe
      "C:\Users\Admin\AppData\Roaming\Install\Hostiuj.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4pxlGUS

Filesize
47KB

MD5
1f0cd7c54497e0cc8087315d7f998ae0

SHA1
cc379ed3354b237f559c540e7170f373968b4bcc

SHA256
9ba9fbf4465268a388f4a0742bb9bada09daaa7cbab620cd4ae02be5af1433fb

SHA512
a5535324c0a82a19c3f960343078e3c5190b57825fd140539f09c75554629a7d23158f2f91a5e1df1195faa5438982b2f63649794b4e3f8671a3ed7c9765f0d4

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Hostiuj.exe

Filesize
243KB

MD5
0bcdcedca7fbafa1200492139b8e5f0d

SHA1
63c2e2136107950975b8d89ae7d1ae520b05fc3c

SHA256
257a617f6233df4361c8c430261293c3d016c4757b03692329a5d078f9eb0a51

SHA512
932d81552ce1e3194c8fe254a4b5f9f4ba05dabeef6dc4dffdefbbf30893c9b484f611279573934f735acbb07e3a3a15487906f4a963f5816e95cd32a451ba2e

Download Submit
\Users\Admin\AppData\Local\Temp\nst15A4.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/1808-7-0x0000000002720000-0x0000000002745000-memory.dmp

Filesize
148KB

Download
memory/1808-10-0x0000000002720000-0x0000000002745000-memory.dmp

Filesize
148KB

Download
memory/2540-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2540-33-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2540-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2704-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2704-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2704-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads