netwire | c5b7e21f19493fed30675f86df39c69fbc3a8a4617d1d85ac3dda90d97d14d6c

General

Target

2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe
Size

216KB
MD5

2a02f52b64bb0b2ffce4fb81b4517c7c
SHA1

b3a46bb392a8b40c12ac046dfdc3572132155aab
SHA256

c5b7e21f19493fed30675f86df39c69fbc3a8a4617d1d85ac3dda90d97d14d6c
SHA512

4814e9064e9ed6c4cdc6e514e7a7e73c227fe598904d654cadb98ef1acee51ba987d937547f80e0aeb1972cda86ae3f22addfaf83490a906ec1927f3980be786
SSDEEP

6144:59nNMa2B9x4UmQrrYfZUgWKZtFivagH8mlE:DNMaA9x4hdWqtAVHv

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4768-26-0x0000000005910000-0x000000000593C000-memory.dmp	netwire
behavioral2/memory/4864-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4864-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4864-33-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jkzoKD.url	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4768 set thread context of 4864	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	105

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe
4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe
4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4012	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	99
PID 4768 wrote to memory of 4012	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	99
PID 4768 wrote to memory of 4012	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	99
PID 4012 wrote to memory of 4288	4012	csc.exe	104
PID 4012 wrote to memory of 4288	4012	csc.exe	104
PID 4012 wrote to memory of 4288	4012	csc.exe	104
PID 4768 wrote to memory of 4864	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	105
PID 4768 wrote to memory of 4864	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	105
PID 4768 wrote to memory of 4864	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	105
PID 4768 wrote to memory of 4864	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	105
PID 4768 wrote to memory of 4864	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	105
PID 4768 wrote to memory of 4864	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	105
PID 4768 wrote to memory of 4864	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	105
PID 4768 wrote to memory of 4864	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	105
PID 4768 wrote to memory of 4864	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	105
PID 4768 wrote to memory of 4864	4768	2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe	105

C:\Users\Admin\AppData\Local\Temp\2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a02f52b64bb0b2ffce4fb81b4517c7c_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqtz4cdj\wqtz4cdj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8ED8.tmp" "c:\Users\Admin\AppData\Local\Temp\wqtz4cdj\CSC116397FEB47043D0B3CC167C118882EF.TMP"
    3⤵
    PID:4288
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4012 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8ED8.tmp

Filesize
1KB

MD5
f4897f352c420ba79b19a1f25903f196

SHA1
2baa3b280e30e79d33978d5582d4c51f02697ebf

SHA256
75f64226d3ae837c2c8b9eb792e3365b5c317a407687977745f1743a14c6b69d

SHA512
07782f22728d68b2f57bc64db621a5190bc99b902f22812d75189d10d62747604a3dd52db8bed3b9156f02c24ecc493759d6edb062ef8647fa40514c1f086005

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqtz4cdj\wqtz4cdj.dll

Filesize
11KB

MD5
07e9873ab38e422c50119ea57f1e0a84

SHA1
86050c24b116237811b06e9ce5c0b5b8200c247a

SHA256
cfb728d40ff2a3390b2c12ce3ce5d72c5768c091e322b0a765192c28108c94a1

SHA512
0567c623d82fcc12a979792e3d9df3223b6bca772cbc99711c7e64a0ec5519f66f0b886272bd193aadf3d6f61a2a127277d0e71b12d1c906c3ca0c02b4cdfdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqtz4cdj\wqtz4cdj.pdb

Filesize
37KB

MD5
530fce585d9719786923d623f4996442

SHA1
57302d92fcf5d1f5cd5021edbb8bf0efd537239a

SHA256
6825ad64e322385e82e64f70e3ffc471bf1a1becb759e3c5cf55c0541e6ef635

SHA512
d17b1f8a50c40f58b629472504948fb6feb741901cf38d40e0fed441335a2ca1d8338bd4d26ab099c6dbe63d14a90d37621e76b04753b66bf57b2e2d79efd550

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqtz4cdj\CSC116397FEB47043D0B3CC167C118882EF.TMP

Filesize
1KB

MD5
33919960a0d1ce2bcfdabfeef9be674c

SHA1
9b5fb0c5e9a522c0d1c56980b004af02d5efaf29

SHA256
7314d46d7b0a62af89d1116d31005da3c371ba9511cb7c48837bd5fd950113f1

SHA512
f6097cdad11ab5a759bdced9e99d3e9377bb9f391c621c0b91cf00d2b16166792b557b8982f429d64425632050d2e40372e2f84447c6cbb6d39f667e660992e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqtz4cdj\wqtz4cdj.0.cs

Filesize
17KB

MD5
f14a0c054d74a07c20a32d5193fa41b0

SHA1
e17f3e9989e3a411e18d12a726f27f250f7f0e93

SHA256
f500836069863e071f17c809bf2459f7e1054e900c9ecc48bd0ffe5eaf8db01c

SHA512
e6c71c666ae48aa4244ffed024f58827448165381c171280f2622ba8fe3ef42ae7019065926ef3d9fd9590753cf81604da0bce950045b7f16b85445dd29fb5dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqtz4cdj\wqtz4cdj.cmdline

Filesize
312B

MD5
266a0f9c6937a5a7e97a77bc2e017a8c

SHA1
968de5424bb15a24fb4a7344868db2c8db5bd6e9

SHA256
4e5573fff8443427a22d0800a477449d1c8fbe89d893e490aca652abad9d81b7

SHA512
05144c27378e99a4075a0093ecba128dbf6b197ca62488ba3c1ad72dab3b744577aeb4ca80a32d5731999b6a0601a3fe0475dbe63ba2c960ec6c4ae721f3b26d

Download Submit
memory/4768-22-0x00000000056A0000-0x00000000056D2000-memory.dmp

Filesize
200KB

Download
memory/4768-27-0x0000000005B90000-0x0000000005C2C000-memory.dmp

Filesize
624KB

Download
memory/4768-5-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-2-0x0000000000970000-0x00000000009AC000-memory.dmp

Filesize
240KB

Download
memory/4768-1-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

Filesize
4KB

Download
memory/4768-19-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download
memory/4768-9-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-23-0x00000000056D0000-0x00000000056DC000-memory.dmp

Filesize
48KB

Download
memory/4768-21-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/4768-26-0x0000000005910000-0x000000000593C000-memory.dmp

Filesize
176KB

Download
memory/4768-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

Filesize
4KB

Download
memory/4768-32-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/4864-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4864-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4864-33-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing