netwire | cd309ad77ef0180c2c59bab487e90dc967fd0781ec10a4f5196a0fda75cac36d

General

Target

21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe
Size

227KB
MD5

21c0027924a5a4a70cd1e61220716224
SHA1

5546ef57a890ca54ee59f52a39d86ea3f24ffe0e
SHA256

cd309ad77ef0180c2c59bab487e90dc967fd0781ec10a4f5196a0fda75cac36d
SHA512

2571b525c8a9ac2abbe09fee720cbc1a4deb9aff288f75f9729475ae3497bcc4853e680015d7ea32d5f09b66425973fa564c0e51b7d10eeff91e369d3ed1ddf0
SSDEEP

6144:JpTfdT/KELr+ILii5Ea8NplE8AOcWRaIF2nYMg:JpTfp/KE3+ILkTplNUWkxYT

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

zicopele2018.sytes.net:3584

zicopele2018backup.sytes.net:3584

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
vkRChWpP
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/memory/2172-24-0x0000000005C90000-0x0000000005CBC000-memory.dmp	netwire
behavioral2/memory/1304-26-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1304-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1304-31-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1304-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1304-39-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ymbWet.url	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 1304	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe
2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 696	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	83
PID 2172 wrote to memory of 696	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	83
PID 2172 wrote to memory of 696	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	83
PID 696 wrote to memory of 4364	696	csc.exe	86
PID 696 wrote to memory of 4364	696	csc.exe	86
PID 696 wrote to memory of 4364	696	csc.exe	86
PID 2172 wrote to memory of 1304	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	87
PID 2172 wrote to memory of 1304	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	87
PID 2172 wrote to memory of 1304	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	87
PID 2172 wrote to memory of 1304	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	87
PID 2172 wrote to memory of 1304	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	87
PID 2172 wrote to memory of 1304	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	87
PID 2172 wrote to memory of 1304	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	87
PID 2172 wrote to memory of 1304	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	87
PID 2172 wrote to memory of 1304	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	87
PID 2172 wrote to memory of 1304	2172	21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21c0027924a5a4a70cd1e61220716224_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lgkrxtvv\lgkrxtvv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES44E8.tmp" "c:\Users\Admin\AppData\Local\Temp\lgkrxtvv\CSCCEBAEEBE30AB4665A0EC3A191BE5C8E9.TMP"
    3⤵
    PID:4364
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES44E8.tmp

Filesize
1KB

MD5
d79d15e4ed4e339940070e64fc403784

SHA1
6edbc110340056f135d9815f47f0489e0e8cdd5c

SHA256
e162070d0ea8f308b76b4e6c826b1afcc2b7a8400157bd77342d30d89d287104

SHA512
695adf042b85079d5bca8c292d55e5dd479d4ee9a801cbb0a392c38cddfd79ca143b5eb93e800d93299cea6fef4a46911523903589929e3901a2735a2446e738

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgkrxtvv\lgkrxtvv.dll

Filesize
13KB

MD5
46acb1c1c09507b39b948ca3f47359f7

SHA1
71c5da7b9d44233001af4b03ef1b1192fc3d7506

SHA256
1b7a4f54f171b303f7449b637c0e4ddfce7f5be0e9a08fc8c7566d4849d1c548

SHA512
b514928818ca9309e678772f0607dda5a39179990fbca86a1293465dc6030badf1f9d5e87b4769bf7dca5d7c26fc873d900230bfc0b70174cb83133e02369f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgkrxtvv\lgkrxtvv.pdb

Filesize
39KB

MD5
c48f142995aacd2a3a5cd859818c89b8

SHA1
f95065af47718cab147ea708ce56499dc787afa6

SHA256
51a9ab95a1d553d086a184789e2ea0b69e0bb9d18cdb9eab7fa380aad2b82cd1

SHA512
b4493492aa6d869e02622d3acc609237450b5a9537a2c2c77ba2a417c4c79b39c4c1fa7723cd306ae3d35bf349deafc73121710ebe4f2c68550efd131e3822ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lgkrxtvv\CSCCEBAEEBE30AB4665A0EC3A191BE5C8E9.TMP

Filesize
1KB

MD5
2abd394a2402f8b2d1b9dd3ffe11117e

SHA1
0336e3841dcd5fba25408f59ae983ad730347226

SHA256
74e2a75ba8a0f003ca06f8e9ed13c8c45d1c21f5b9095383ff3cf1db5b6ea13a

SHA512
73c41868d56aa548a23fa8bcfebdc65d30dce02ca60b17641ad0ef41000d32fb0770e6e818ecea69ba059035470882dc2e16be05743c1c72b5724375c203c522

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lgkrxtvv\lgkrxtvv.0.cs

Filesize
23KB

MD5
f836341851788bcc914ee5b7c184806f

SHA1
cc4f180e695f1036498bc7a16d0f1885b0c5af4f

SHA256
426571217dc194753b55e1a1d51ed64c3606590c7cd7557d5925b6d6bb7b3364

SHA512
d6b64906ac580c682141a545ac025433708bc1fc8cc9f65da3d5d21ed1ec6e4ed559102ce82daf996277bb86597c767ec0eab9d954e728d0743c82138ffa0a58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lgkrxtvv\lgkrxtvv.cmdline

Filesize
312B

MD5
c89a92209013396891abbc5e60985f85

SHA1
317e3509a8fac676617b54381258130389d8d597

SHA256
abbf0b2f6285b145774058d0a4a621adebc6c7d93e1ceeece359aba8570b1866

SHA512
bf271fb8f6795c096450424460e2a6f9510e0349c35ce48468fb939c591c9a0d8371252fb3cd47ce349641bc49fcbf486199b30d146fdd5aa9ab47916fab851d

Download Submit
memory/1304-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1304-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1304-39-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1304-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1304-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2172-19-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/2172-21-0x0000000005890000-0x000000000589C000-memory.dmp

Filesize
48KB

Download
memory/2172-24-0x0000000005C90000-0x0000000005CBC000-memory.dmp

Filesize
176KB

Download
memory/2172-25-0x0000000006040000-0x00000000060DC000-memory.dmp

Filesize
624KB

Download
memory/2172-0-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/2172-20-0x0000000005C50000-0x0000000005C82000-memory.dmp

Filesize
200KB

Download
memory/2172-30-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/2172-5-0x00000000744B0000-0x0000000074C60000-memory.dmp

Filesize
7.7MB

Download
memory/2172-17-0x0000000003220000-0x000000000322A000-memory.dmp

Filesize
40KB

Download
memory/2172-1-0x0000000000F40000-0x0000000000F7E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing