netwire | cd309ad77ef0180c2c59bab487e90dc967fd0781ec10a4f5196a0fda75cac36d

General

Target

21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe
Size

227KB
MD5

21c0027924a5a4a70cd1e61220716224
SHA1

5546ef57a890ca54ee59f52a39d86ea3f24ffe0e
SHA256

cd309ad77ef0180c2c59bab487e90dc967fd0781ec10a4f5196a0fda75cac36d
SHA512

2571b525c8a9ac2abbe09fee720cbc1a4deb9aff288f75f9729475ae3497bcc4853e680015d7ea32d5f09b66425973fa564c0e51b7d10eeff91e369d3ed1ddf0
SSDEEP

6144:JpTfdT/KELr+ILii5Ea8NplE8AOcWRaIF2nYMg:JpTfp/KE3+ILkTplNUWkxYT

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

zicopele2018.sytes.net:3584

zicopele2018backup.sytes.net:3584

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
vkRChWpP
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 9 IoCs

rat

resource	yara_rule
behavioral1/memory/2396-23-0x0000000000C10000-0x0000000000C3C000-memory.dmp	netwire
behavioral1/memory/2660-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2660-38-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2660-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2660-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2660-40-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2660-41-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2660-43-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2660-50-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ymbWet.url	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 2660	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe
2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2864	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	28
PID 2396 wrote to memory of 2864	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	28
PID 2396 wrote to memory of 2864	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	28
PID 2396 wrote to memory of 2864	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	28
PID 2864 wrote to memory of 2172	2864	csc.exe	30
PID 2864 wrote to memory of 2172	2864	csc.exe	30
PID 2864 wrote to memory of 2172	2864	csc.exe	30
PID 2864 wrote to memory of 2172	2864	csc.exe	30
PID 2396 wrote to memory of 2660	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2660	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2660	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2660	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2660	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2660	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2660	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2660	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2660	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2660	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	31
PID 2396 wrote to memory of 2660	2396	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hyk1wkwn\hyk1wkwn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11AD.tmp" "c:\Users\Admin\AppData\Local\Temp\hyk1wkwn\CSC17DF46B7AF6A42CAB0CEBBC8E2010.TMP"
    3⤵
    PID:2172
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES11AD.tmp

Filesize
1KB

MD5
8bac3777a0b62eb657f975a727f6f76a

SHA1
c32e8c421e726d2812b0c867bb8eeee4c47837c9

SHA256
cb7afc10c599e4afc03b70caba6ee8250bf3792073ac3dcb6deb994a34ef1e65

SHA512
d443a1208f38dde5044a0b99f19ecf6e8574823c1b323f3c2e267d0edeac10c65bb8fe57d2b8877fbbc713b2f4497b01ad7aa3128cc450a6b225463ba31a2ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyk1wkwn\hyk1wkwn.dll

Filesize
13KB

MD5
697cefc27273e9ecb45bed285a87e2b5

SHA1
d056ca0ba2224a59ad23d8fa8ba0a49ae5de00fb

SHA256
8b4868218d801f4c385b0bb19fdfa824f2fe9769c68e24a16af70f418ff4e4db

SHA512
2c3371bbd9354fb2384f9876073abce24b6c6bc64e7a3c676ff74536023dce08655a59574c72a47e4e98c6966729cb018574e3109824ebf378f16377229365f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyk1wkwn\hyk1wkwn.pdb

Filesize
39KB

MD5
81516d8f52454f48142f3491ef6c509c

SHA1
c34bafae1d0bdfbc699941eed1fa83968654236d

SHA256
5535dea91d1cb4333b3eb5e028da4466abd06f1a882186120c71c6e753b2c2c9

SHA512
632930a37e3d1c56c8bd9c7fdacfa5db32a39b7cc5b34eda2d15b1d2ad82e2589ca66e48633745d7303dcc8b91974074bc9cbcf545ab5f374dfc02c421d971da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hyk1wkwn\CSC17DF46B7AF6A42CAB0CEBBC8E2010.TMP

Filesize
1KB

MD5
aa4e75645e25a0561e43d899ac7d81d6

SHA1
e8b051d3f6d6bfa8af9220024c59fc10b6914de0

SHA256
5b7557b805fe7185758381494f2ec8baf6c3a5642350391b4fc0813acd883391

SHA512
3d1e2dbe067af72e50974828207b950d9a8cab22e467cd244989050f262ff7b2d25ae08140fe06db4b7a7a4843149ce409c2df13fe2b2d798915308c62317d71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hyk1wkwn\hyk1wkwn.0.cs

Filesize
23KB

MD5
f836341851788bcc914ee5b7c184806f

SHA1
cc4f180e695f1036498bc7a16d0f1885b0c5af4f

SHA256
426571217dc194753b55e1a1d51ed64c3606590c7cd7557d5925b6d6bb7b3364

SHA512
d6b64906ac580c682141a545ac025433708bc1fc8cc9f65da3d5d21ed1ec6e4ed559102ce82daf996277bb86597c767ec0eab9d954e728d0743c82138ffa0a58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hyk1wkwn\hyk1wkwn.cmdline

Filesize
312B

MD5
ec7e07ee2d521250473d977c498d73b8

SHA1
a9ca6eb300dc6afd46fcb43ef2069d650d26f81b

SHA256
a0b4795b6f37a0a86d5716a855c7ce174b0d9fce9c11302cfd5de22f552d0e74

SHA512
00a41aa043ac195bba5f64311aa3158ef98c66856568ed4e2c8c9ab6f6decaab42a3ae08ff5973371cd36c1ff4454c06be4417d7c5e4f56ae793e0ed12fabb86

Download Submit
memory/2396-23-0x0000000000C10000-0x0000000000C3C000-memory.dmp

Filesize
176KB

Download
memory/2396-5-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2396-1-0x0000000001310000-0x000000000134E000-memory.dmp

Filesize
248KB

Download
memory/2396-17-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2396-19-0x0000000000760000-0x0000000000792000-memory.dmp

Filesize
200KB

Download
memory/2396-20-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2396-0-0x000000007491E000-0x000000007491F000-memory.dmp

Filesize
4KB

Download
memory/2396-42-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2660-38-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2660-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2660-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2660-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2660-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2660-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2660-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2660-40-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2660-41-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2660-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2660-43-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2660-50-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing