netwire | c5b7e21f19493fed30675f86df39c69fbc3a8a4617d1d85ac3dda90d97d14d6c

General

Target

2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe
Size

216KB
MD5

2a02f52b64bb0b2ffce4fb81b4517c7c
SHA1

b3a46bb392a8b40c12ac046dfdc3572132155aab
SHA256

c5b7e21f19493fed30675f86df39c69fbc3a8a4617d1d85ac3dda90d97d14d6c
SHA512

4814e9064e9ed6c4cdc6e514e7a7e73c227fe598904d654cadb98ef1acee51ba987d937547f80e0aeb1972cda86ae3f22addfaf83490a906ec1927f3980be786
SSDEEP

6144:59nNMa2B9x4UmQrrYfZUgWKZtFivagH8mlE:DNMaA9x4hdWqtAVHv

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 9 IoCs

rat

resource	yara_rule
behavioral1/memory/1508-23-0x00000000007E0000-0x000000000080C000-memory.dmp	netwire
behavioral1/memory/1952-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-36-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-37-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1952-44-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jkzoKD.url	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 1952	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe
1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2516	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	28
PID 1508 wrote to memory of 2516	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	28
PID 1508 wrote to memory of 2516	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	28
PID 1508 wrote to memory of 2516	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	28
PID 2516 wrote to memory of 2620	2516	csc.exe	30
PID 2516 wrote to memory of 2620	2516	csc.exe	30
PID 2516 wrote to memory of 2620	2516	csc.exe	30
PID 2516 wrote to memory of 2620	2516	csc.exe	30
PID 1508 wrote to memory of 1952	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 1952	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 1952	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 1952	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 1952	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 1952	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 1952	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 1952	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 1952	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 1952	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	31
PID 1508 wrote to memory of 1952	1508	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pe0pch0p\pe0pch0p.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E0.tmp" "c:\Users\Admin\AppData\Local\Temp\pe0pch0p\CSCF40CF762B65C4CC2BD3D6C39E5C37A1.TMP"
    3⤵
    PID:2620
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9E0.tmp

Filesize
1KB

MD5
6da4f408a11107cb40b0443dfcb9173f

SHA1
538244f0ce12e60229394bbd6656ecb5e26fd06c

SHA256
f3e28965c9db7fb0b95deecbd18254b5feca68b719bee9ea1dc1d64d8660f9bb

SHA512
31fd628d1741edfc23f7be92ddfc80f57b8138afd9871ac002d5010ad68aa7e0e0781151785399b2ac9a3105589e579aebdcfcf8618843388fe26e69b37eb6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pe0pch0p\pe0pch0p.dll

Filesize
11KB

MD5
a978aea57bdb2dd8905aa580b97325b6

SHA1
1128fa128fbc3fba67fa45eb4b110da114b996fd

SHA256
da96de24807ccfbd7e972ca165137176304b385db68beb494ebf9fd8b7f063a4

SHA512
795721b17b5bbbe3839f5f087fb5fe3da0e26f992e5e26f7380558a9badff75d988668bd832e694bf2cfd5331966d44d7dd6d3b96d8cb02ab31e9bb36f1c1ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pe0pch0p\pe0pch0p.pdb

Filesize
37KB

MD5
4bad8ee5e3ea27127d60d2b336111c3f

SHA1
0c37d4fdf227069674003d48f52d5960d6f66ac4

SHA256
b0695fb2130999d9672e86ca9280b1368a789a62b488d9d91e291933b883cadc

SHA512
056c884bd7fae06192ffed487c491704dc86d36b02554469b822bf2a527b48cf998eb9463e47395135b409578bfab1359d8d445a083b5fba5d1d065a88b210b2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pe0pch0p\CSCF40CF762B65C4CC2BD3D6C39E5C37A1.TMP

Filesize
1KB

MD5
2b2129a5b81fb547d7f5d92ab802fdaa

SHA1
cd355fba54da61e14cbfed3c106bb5cbb1ad1027

SHA256
d3007c7f8d6cfb2c65d86e1fef06e2c8f653ea81aecb65fcb4ae7c4db0714436

SHA512
e36ff78627cbb0d53b3a45a5650ca24ea6e2e0f1f0d3f74c87f9f10104d382a97cb08f788e408c61d2f9d8b1f38362d460392da21a0b78db6dc985c8f3b648d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pe0pch0p\pe0pch0p.0.cs

Filesize
17KB

MD5
f14a0c054d74a07c20a32d5193fa41b0

SHA1
e17f3e9989e3a411e18d12a726f27f250f7f0e93

SHA256
f500836069863e071f17c809bf2459f7e1054e900c9ecc48bd0ffe5eaf8db01c

SHA512
e6c71c666ae48aa4244ffed024f58827448165381c171280f2622ba8fe3ef42ae7019065926ef3d9fd9590753cf81604da0bce950045b7f16b85445dd29fb5dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pe0pch0p\pe0pch0p.cmdline

Filesize
312B

MD5
5c82dbb8ddcf5eb4ca0af4afa65cd180

SHA1
64b58e357b7089781c46280e7f65a518ca33c249

SHA256
3203289708a302a7e577a20092e6215885913526dc7522887b74a5169dc0eb2a

SHA512
900b4be8444f51dbdfdcb338b64ea25acbd57da77cc337acaf4aaa857b439da32a3a26d2dd11704d1b7a1566855c695377d81bcfa53c0092e55c9d095301eef3

Download Submit
memory/1508-23-0x00000000007E0000-0x000000000080C000-memory.dmp

Filesize
176KB

Download
memory/1508-5-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/1508-1-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/1508-17-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1508-19-0x00000000006A0000-0x00000000006D2000-memory.dmp

Filesize
200KB

Download
memory/1508-20-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/1508-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/1508-35-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Filesize
6.9MB

Download
memory/1952-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1952-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-36-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-37-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-44-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing