netwire | 8dcaf4a7db1469a9da01fb183bc1369a8067ae081dc8074ab9fa5d6ccb150292

Analysis

max time kernel
134s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eaa85a17c04051ac6d62ec3e3e3990d_JaffaCakes118.exe
Size

315KB
MD5

2eaa85a17c04051ac6d62ec3e3e3990d
SHA1

15cb004c746ed141e39a752acd88bc8e78a565f1
SHA256

8dcaf4a7db1469a9da01fb183bc1369a8067ae081dc8074ab9fa5d6ccb150292
SHA512

332371e6b6707265d02134c533d44144910ab36c154f87b3edd2bac4158a4df4da995de6b4f7655fd6e1ad657bdba651585df02a1e607ac4c843db4faa94e9fd
SSDEEP

3072:wQjJFH9xHfYxWLHvXZJ9hu2aB1wDRqVxaM5P6nnE6BWlNtZ4gshEfpLEL3MpoaKk:wyLdxHfYxWphRaimx96nn/ynshJ/Mn9

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

nicemove.100chickens.biz:3360

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
kieITJcD
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Onedrive update
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2292-3-0x000000000FA50000-0x000000000FAA2000-memory.dmp	netwire
behavioral1/memory/2292-9-0x000000000FA50000-0x000000000FAA2000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
864	Host.exe

Loads dropped DLL 1 IoCs

pid	Process
2292	2eaa85a17c04051ac6d62ec3e3e3990d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 864	2292	2eaa85a17c04051ac6d62ec3e3e3990d_JaffaCakes118.exe	31
PID 2292 wrote to memory of 864	2292	2eaa85a17c04051ac6d62ec3e3e3990d_JaffaCakes118.exe	31
PID 2292 wrote to memory of 864	2292	2eaa85a17c04051ac6d62ec3e3e3990d_JaffaCakes118.exe	31
PID 2292 wrote to memory of 864	2292	2eaa85a17c04051ac6d62ec3e3e3990d_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2eaa85a17c04051ac6d62ec3e3e3990d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2eaa85a17c04051ac6d62ec3e3e3990d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Roaming\Install\Host.exe
  "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
  2⤵
  - Executes dropped EXE
  PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
315KB

MD5
2eaa85a17c04051ac6d62ec3e3e3990d

SHA1
15cb004c746ed141e39a752acd88bc8e78a565f1

SHA256
8dcaf4a7db1469a9da01fb183bc1369a8067ae081dc8074ab9fa5d6ccb150292

SHA512
332371e6b6707265d02134c533d44144910ab36c154f87b3edd2bac4158a4df4da995de6b4f7655fd6e1ad657bdba651585df02a1e607ac4c843db4faa94e9fd

Download Submit
memory/2292-0-0x0000000002CD0000-0x0000000002DD0000-memory.dmp

Filesize
1024KB

Download
memory/2292-1-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2292-2-0x0000000002CD0000-0x0000000002DD0000-memory.dmp

Filesize
1024KB

Download
memory/2292-3-0x000000000FA50000-0x000000000FAA2000-memory.dmp

Filesize
328KB

Download
memory/2292-9-0x000000000FA50000-0x000000000FAA2000-memory.dmp

Filesize
328KB

Download