netwire | d4103e933d33c9257967b632f9c4cedc5f57e15abd2c0357ce7e9966881cc97d

General

Target

260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe
Size

231KB
MD5

260b768a03390af34cf4d91ced33fb0e
SHA1

19022cee29e978d9e56af5931421c115c522ee31
SHA256

d4103e933d33c9257967b632f9c4cedc5f57e15abd2c0357ce7e9966881cc97d
SHA512

05fd9b1eba3f4217b49b4b7eed58634eb7cf944dfa367a0e868c15862a3399e6e874754ab9ffda785a47a7b850d6e24bc777ba55fe47c1405cd28534869841c3
SSDEEP

3072:2xfqOcLw3jpU6+NAs9ejLSxKy2jSb/DCKvNSs7ZAHS6vYAdz7QgRrYEaFxuAc2:wqOPzpU6+NCLSK8GBcZAHStYXRrYHc2

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 9 IoCs

rat

resource	yara_rule
behavioral1/memory/2268-23-0x00000000006F0000-0x000000000071C000-memory.dmp	netwire
behavioral1/memory/2636-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2636-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2636-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2636-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2636-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2636-36-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2636-37-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2636-44-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tEsQxF.url	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2268 set thread context of 2636	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe
2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2244	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	28
PID 2268 wrote to memory of 2244	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	28
PID 2268 wrote to memory of 2244	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	28
PID 2268 wrote to memory of 2244	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2948	2244	csc.exe	30
PID 2244 wrote to memory of 2948	2244	csc.exe	30
PID 2244 wrote to memory of 2948	2244	csc.exe	30
PID 2244 wrote to memory of 2948	2244	csc.exe	30
PID 2268 wrote to memory of 2636	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2636	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2636	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2636	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2636	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2636	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2636	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2636	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2636	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2636	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	31
PID 2268 wrote to memory of 2636	2268	260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\260b768a03390af34cf4d91ced33fb0e_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wbbmch1q\wbbmch1q.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10E2.tmp" "c:\Users\Admin\AppData\Local\Temp\wbbmch1q\CSCC029102333643CEBA9DD02DAD525AA2.TMP"
    3⤵
    PID:2948
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES10E2.tmp

Filesize
1KB

MD5
06ff9a248115818ba2b7429aaef456ab

SHA1
a364247611fe221be703353dbc4bd48f62af2a8e

SHA256
812030a730c5aac1504a645622691abca6511fcf69f26fcee076b1d44e9252c1

SHA512
f3643a6cd98d706c33f3d7f77236906d3b963e609db2787518f0c4b48f8e2863cf9150577938040438df706e064e9a86c48520727697e5eb2d2efa851464f5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wbbmch1q\wbbmch1q.dll

Filesize
14KB

MD5
c8cb36130159bb7175e733ea86479075

SHA1
518fe2fef0077de4e0d1c54124153174388fd065

SHA256
46a034d72fa7ad96c034dcd1648af253eb43428ddca11ff07eaefda27410527e

SHA512
f8ae8d509df7b418e105bf7ad231f83d48caf4df1db588d653b56daa775064d92cd9ef09d0134d6002a65d1113266cc99d16e158403cae34d0a7946606ae131d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wbbmch1q\wbbmch1q.pdb

Filesize
49KB

MD5
ea3bff62791c860f2d89148c39ed6f74

SHA1
e6c2fb162eae7a04676b77dedafa5dc87e4f17f5

SHA256
c0f01c73ae2b6a1d4d26df1b62be8b695a030bcd4747d413f8ab5ef95bfc1af3

SHA512
1390735c67d97d356bfe77302381e376a3c3785c71c4471fa2dfd2c70efbab2e534419cf687205221310e5f764d2bc8d45ec7b67c10fa479bef6f58b1f48155d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbbmch1q\CSCC029102333643CEBA9DD02DAD525AA2.TMP

Filesize
1KB

MD5
8403572fe7d94aba5b62cfb861ef4c2c

SHA1
8ba08d0ab1e7c53f903fc6d58688affa68cd2313

SHA256
95853fc781ad3c1439ab6210474ee05e0a4157fbf270bdbcb9a5fbf1eaecc997

SHA512
04aab158ec5ebc08cfaec92fd68ca648e13b2b7d89d85d7e35483c2c28f66312f240b956554ce12ae6a946b361a96314416472df55ae767899da7a424b5dfdf8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbbmch1q\wbbmch1q.0.cs

Filesize
28KB

MD5
775bb4ff684fb0f6da487cc2420a3f6a

SHA1
9fbc1385b325aaa6b0677fc0690094e5711cd719

SHA256
4ece1996c472ceb3dd020487771dfdcabddc1e12503b4a31d099e3ef5f649c3a

SHA512
8786a6108139f210131565526c2561f425b5a39fc9036e0fbbea30e83f8f54bce4ae44503ad6f720713a3162e97eeeb41803da0ff236690da1a34ac69ecb0929

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wbbmch1q\wbbmch1q.cmdline

Filesize
312B

MD5
fc73d0b0fa95f699a0a4a674ac443ea2

SHA1
18d479b0ff5a2566a05428609e33fd3a3a0aa87e

SHA256
18b774ecd079de1bb5fc2e0030a484fdb0daeff3fdd0ef0338442d6687a72cc3

SHA512
6c552a4dbc21aa36a1c4329c7cccdb7b501132283a696fb8c2b6dd02a85975337d49190df6f2044f589f6d0e1f289b9a584fd0baac901151e7fd4f20b91b0ef6

Download Submit
memory/2268-23-0x00000000006F0000-0x000000000071C000-memory.dmp

Filesize
176KB

Download
memory/2268-6-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/2268-1-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/2268-17-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/2268-19-0x0000000000620000-0x0000000000652000-memory.dmp

Filesize
200KB

Download
memory/2268-20-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2268-0-0x000000007467E000-0x000000007467F000-memory.dmp

Filesize
4KB

Download
memory/2268-35-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2636-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2636-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2636-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2636-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2636-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2636-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2636-36-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2636-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2636-37-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2636-44-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing