netwire | b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe
Size

1.4MB
MD5

de1e174be721794fcee0c1dfc86a2b03
SHA1

2c57d5f9bf66b684e9021ad58cec784145aaad7c
SHA256

b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967
SHA512

84caaebbdb20a175448c9aad2c6b1cce7f3114a43e32e890da03414bcdb5a660734402dd26cb8493720c2d30695973055614f870e03b310b9cfeb0a3dba85ea8
SSDEEP

24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYj:Fo0c++OCokGs9Fa+rd1f26RNYj

Score

10^/10

netwire warzonerat botnet infostealer rat stealer

Malware Config

Extracted

Family

netwire

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

wealth.warzonedns.com:5202

Signatures

NetWire RAT payload 14 IoCs

rat

resource	yara_rule
behavioral1/memory/1688-0-0x0000000001210000-0x000000000137B000-memory.dmp	netwire
behavioral1/files/0x000e00000001226f-3.dat	netwire
behavioral1/memory/2028-24-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1688-40-0x0000000001210000-0x000000000137B000-memory.dmp	netwire
behavioral1/files/0x0007000000017042-46.dat	netwire
behavioral1/memory/2172-48-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2944-49-0x0000000000E90000-0x0000000000FFB000-memory.dmp	netwire
behavioral1/memory/2944-77-0x0000000000E90000-0x0000000000FFB000-memory.dmp	netwire
behavioral1/memory/2172-85-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1036-86-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2324-97-0x0000000000E90000-0x0000000000FFB000-memory.dmp	netwire
behavioral1/memory/2324-115-0x0000000000E90000-0x0000000000FFB000-memory.dmp	netwire
behavioral1/memory/1288-138-0x0000000000E90000-0x0000000000FFB000-memory.dmp	netwire
behavioral1/memory/1288-157-0x0000000000E90000-0x0000000000FFB000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2728-27-0x0000000000080000-0x000000000009D000-memory.dmp	warzonerat
behavioral1/memory/2728-37-0x0000000000080000-0x000000000009D000-memory.dmp	warzonerat

Executes dropped EXE 11 IoCs

pid	Process
2028	Blasthost.exe
2172	Host.exe
2944	RtDCpl64.exe
1036	Blasthost.exe
1500	RtDCpl64.exe
2324	RtDCpl64.exe
1492	Blasthost.exe
2612	RtDCpl64.exe
1288	RtDCpl64.exe
1588	Blasthost.exe
1932	RtDCpl64.exe

Loads dropped DLL 16 IoCs

pid	Process
1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe
1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe
1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe
1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe
2028	Blasthost.exe
2028	Blasthost.exe
2944	RtDCpl64.exe
2944	RtDCpl64.exe
2944	RtDCpl64.exe
2944	RtDCpl64.exe
2324	RtDCpl64.exe
2324	RtDCpl64.exe
2324	RtDCpl64.exe
1288	RtDCpl64.exe
1288	RtDCpl64.exe
1288	RtDCpl64.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1688-0-0x0000000001210000-0x000000000137B000-memory.dmp	autoit_exe
behavioral1/memory/1688-40-0x0000000001210000-0x000000000137B000-memory.dmp	autoit_exe
behavioral1/files/0x0007000000017042-46.dat	autoit_exe
behavioral1/memory/2944-49-0x0000000000E90000-0x0000000000FFB000-memory.dmp	autoit_exe
behavioral1/memory/2944-77-0x0000000000E90000-0x0000000000FFB000-memory.dmp	autoit_exe
behavioral1/memory/2324-97-0x0000000000E90000-0x0000000000FFB000-memory.dmp	autoit_exe
behavioral1/memory/2324-115-0x0000000000E90000-0x0000000000FFB000-memory.dmp	autoit_exe
behavioral1/memory/1288-138-0x0000000000E90000-0x0000000000FFB000-memory.dmp	autoit_exe
behavioral1/memory/1288-157-0x0000000000E90000-0x0000000000FFB000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 2728	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	30
PID 2944 set thread context of 1500	2944	RtDCpl64.exe	38
PID 2324 set thread context of 2612	2324	RtDCpl64.exe	47
PID 1288 set thread context of 1932	1288	RtDCpl64.exe	54

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1324	schtasks.exe
2252	schtasks.exe
448	schtasks.exe
2664	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2028	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	28
PID 1688 wrote to memory of 2028	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	28
PID 1688 wrote to memory of 2028	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	28
PID 1688 wrote to memory of 2028	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	28
PID 2028 wrote to memory of 2172	2028	Blasthost.exe	29
PID 2028 wrote to memory of 2172	2028	Blasthost.exe	29
PID 2028 wrote to memory of 2172	2028	Blasthost.exe	29
PID 2028 wrote to memory of 2172	2028	Blasthost.exe	29
PID 1688 wrote to memory of 2728	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	30
PID 1688 wrote to memory of 2728	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	30
PID 1688 wrote to memory of 2728	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	30
PID 1688 wrote to memory of 2728	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	30
PID 1688 wrote to memory of 2728	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	30
PID 1688 wrote to memory of 2728	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	30
PID 1688 wrote to memory of 1324	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	31
PID 1688 wrote to memory of 1324	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	31
PID 1688 wrote to memory of 1324	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	31
PID 1688 wrote to memory of 1324	1688	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	31
PID 2728 wrote to memory of 2788	2728	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	33
PID 2728 wrote to memory of 2788	2728	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	33
PID 2728 wrote to memory of 2788	2728	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	33
PID 2728 wrote to memory of 2788	2728	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	33
PID 2728 wrote to memory of 2788	2728	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	33
PID 2728 wrote to memory of 2788	2728	b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe	33
PID 2588 wrote to memory of 2944	2588	taskeng.exe	36
PID 2588 wrote to memory of 2944	2588	taskeng.exe	36
PID 2588 wrote to memory of 2944	2588	taskeng.exe	36
PID 2588 wrote to memory of 2944	2588	taskeng.exe	36
PID 2944 wrote to memory of 1036	2944	RtDCpl64.exe	37
PID 2944 wrote to memory of 1036	2944	RtDCpl64.exe	37
PID 2944 wrote to memory of 1036	2944	RtDCpl64.exe	37
PID 2944 wrote to memory of 1036	2944	RtDCpl64.exe	37
PID 2944 wrote to memory of 1500	2944	RtDCpl64.exe	38
PID 2944 wrote to memory of 1500	2944	RtDCpl64.exe	38
PID 2944 wrote to memory of 1500	2944	RtDCpl64.exe	38
PID 2944 wrote to memory of 1500	2944	RtDCpl64.exe	38
PID 2944 wrote to memory of 1500	2944	RtDCpl64.exe	38
PID 2944 wrote to memory of 1500	2944	RtDCpl64.exe	38
PID 2944 wrote to memory of 2252	2944	RtDCpl64.exe	39
PID 2944 wrote to memory of 2252	2944	RtDCpl64.exe	39
PID 2944 wrote to memory of 2252	2944	RtDCpl64.exe	39
PID 2944 wrote to memory of 2252	2944	RtDCpl64.exe	39
PID 1500 wrote to memory of 2828	1500	RtDCpl64.exe	40
PID 1500 wrote to memory of 2828	1500	RtDCpl64.exe	40
PID 1500 wrote to memory of 2828	1500	RtDCpl64.exe	40
PID 1500 wrote to memory of 2828	1500	RtDCpl64.exe	40
PID 1500 wrote to memory of 2828	1500	RtDCpl64.exe	40
PID 1500 wrote to memory of 2828	1500	RtDCpl64.exe	40
PID 2588 wrote to memory of 2324	2588	taskeng.exe	45
PID 2588 wrote to memory of 2324	2588	taskeng.exe	45
PID 2588 wrote to memory of 2324	2588	taskeng.exe	45
PID 2588 wrote to memory of 2324	2588	taskeng.exe	45
PID 2324 wrote to memory of 1492	2324	RtDCpl64.exe	46
PID 2324 wrote to memory of 1492	2324	RtDCpl64.exe	46
PID 2324 wrote to memory of 1492	2324	RtDCpl64.exe	46
PID 2324 wrote to memory of 1492	2324	RtDCpl64.exe	46
PID 2324 wrote to memory of 2612	2324	RtDCpl64.exe	47
PID 2324 wrote to memory of 2612	2324	RtDCpl64.exe	47
PID 2324 wrote to memory of 2612	2324	RtDCpl64.exe	47
PID 2324 wrote to memory of 2612	2324	RtDCpl64.exe	47
PID 2324 wrote to memory of 2612	2324	RtDCpl64.exe	47
PID 2324 wrote to memory of 2612	2324	RtDCpl64.exe	47
PID 2612 wrote to memory of 2192	2612	RtDCpl64.exe	48
PID 2612 wrote to memory of 2192	2612	RtDCpl64.exe	48

C:\Users\Admin\AppData\Local\Temp\b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe
"C:\Users\Admin\AppData\Local\Temp\b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Roaming\Blasthost.exe
  "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
    "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
    3⤵
    - Executes dropped EXE
    PID:2172
- C:\Users\Admin\AppData\Local\Temp\b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe
  "C:\Users\Admin\AppData\Local\Temp\b667d99285d7b65b13484c524fb20c9d0c390a258714349b17a1f3b61ee6d967.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2788
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1324

C:\Windows\system32\taskeng.exe
taskeng.exe {96E57D32-0B46-45B5-9130-CF308513D839} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Roaming\Blasthost.exe
    "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
    3⤵
    - Executes dropped EXE
    PID:1036
- - C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2252
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Roaming\Blasthost.exe
    "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
    3⤵
    - Executes dropped EXE
    PID:1492
- - C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:448
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:1288
- - C:\Users\Admin\AppData\Roaming\Blasthost.exe
    "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
    3⤵
    - Executes dropped EXE
    PID:1588
- - C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
    3⤵
    - Executes dropped EXE
    PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.4MB

MD5
548811dcf9abd673dbf1218212d7b641

SHA1
b25b635500692d732dd0e9b3b9f65ad51fe432c0

SHA256
c12d6128e7e7bb28b6baa6acbfe286e5688185a3214cc0dc3b70b1a95b75b87d

SHA512
eef43f0e3d063db6ee21d366ef5b0781ce5c2817a593b9c2857954432f7c25fcb0d3381cbdb6e7f996ee9a369299a4da5bc484470afc5af5e129b7f786e41ad2

Download Submit
\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
memory/1036-86-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1288-157-0x0000000000E90000-0x0000000000FFB000-memory.dmp

Filesize
1.4MB

Download
memory/1288-138-0x0000000000E90000-0x0000000000FFB000-memory.dmp

Filesize
1.4MB

Download
memory/1500-73-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1688-38-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1688-40-0x0000000001210000-0x000000000137B000-memory.dmp

Filesize
1.4MB

Download
memory/1688-0-0x0000000001210000-0x000000000137B000-memory.dmp

Filesize
1.4MB

Download
memory/2028-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2172-48-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2172-85-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2192-118-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2324-115-0x0000000000E90000-0x0000000000FFB000-memory.dmp

Filesize
1.4MB

Download
memory/2324-97-0x0000000000E90000-0x0000000000FFB000-memory.dmp

Filesize
1.4MB

Download
memory/2728-34-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-37-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/2728-26-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/2728-27-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/2788-43-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2788-41-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2828-81-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2944-77-0x0000000000E90000-0x0000000000FFB000-memory.dmp

Filesize
1.4MB

Download
memory/2944-49-0x0000000000E90000-0x0000000000FFB000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads