netwire | 091b82a4ba69c0c3f5419e529a6a8627199cf8b01d64214a60ec16ee603e60c0

General

Target

43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe
Size

203KB
MD5

43ed291cccfc3d31bbb01e7ac7c28c83
SHA1

224c53321af6f3b7ac43889c8394577d94c38963
SHA256

091b82a4ba69c0c3f5419e529a6a8627199cf8b01d64214a60ec16ee603e60c0
SHA512

fa3954d1aa4735996c923b6ebbd3def1142f379cc1cc1a2926eed8844adad839aee76c4d9eb6bcc32924d99e61b85e8a220bad1cd90a1e37cfe25aa1be6a9d54
SSDEEP

6144:D1onxwmWBbeEAev/25KFWJ3iiew9F9gZZbf:hoxwJP251iibaf

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

ddns.catamosky.biz:4886

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
APRIL
install_path
%AppData%\Install\Hostiuj.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
fhYmpchh
offline_keylogger
true
password
Trinidado1@
registry_autorun
true
startup_name
hostiuj
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2600-9-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2600-11-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2600-13-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2792-33-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2792-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2792-35-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 2 IoCs

pid	Process
2652	Hostiuj.exe
2792	Hostiuj.exe

Loads dropped DLL 3 IoCs

pid	Process
2324	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe
2600	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe
2652	Hostiuj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\hostiuj = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Hostiuj.exe"	Hostiuj.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 2600	2324	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe	28
PID 2652 set thread context of 2792	2652	Hostiuj.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0033000000014817-14.dat	nsis_installer_1
behavioral1/files/0x0033000000014817-14.dat	nsis_installer_2

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2324	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe
2652	Hostiuj.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2600	2324	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe	28
PID 2324 wrote to memory of 2600	2324	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe	28
PID 2324 wrote to memory of 2600	2324	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe	28
PID 2324 wrote to memory of 2600	2324	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe	28
PID 2324 wrote to memory of 2600	2324	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe	28
PID 2600 wrote to memory of 2652	2600	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe	29
PID 2600 wrote to memory of 2652	2600	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe	29
PID 2600 wrote to memory of 2652	2600	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe	29
PID 2600 wrote to memory of 2652	2600	43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe	29
PID 2652 wrote to memory of 2792	2652	Hostiuj.exe	30
PID 2652 wrote to memory of 2792	2652	Hostiuj.exe	30
PID 2652 wrote to memory of 2792	2652	Hostiuj.exe	30
PID 2652 wrote to memory of 2792	2652	Hostiuj.exe	30
PID 2652 wrote to memory of 2792	2652	Hostiuj.exe	30

C:\Users\Admin\AppData\Local\Temp\43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\43ed291cccfc3d31bbb01e7ac7c28c83_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Roaming\Install\Hostiuj.exe
    "C:\Users\Admin\AppData\Roaming\Install\Hostiuj.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Roaming\Install\Hostiuj.exe
      "C:\Users\Admin\AppData\Roaming\Install\Hostiuj.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy1528.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Users\Admin\AppData\Roaming\Install\Hostiuj.exe

Filesize
203KB

MD5
43ed291cccfc3d31bbb01e7ac7c28c83

SHA1
224c53321af6f3b7ac43889c8394577d94c38963

SHA256
091b82a4ba69c0c3f5419e529a6a8627199cf8b01d64214a60ec16ee603e60c0

SHA512
fa3954d1aa4735996c923b6ebbd3def1142f379cc1cc1a2926eed8844adad839aee76c4d9eb6bcc32924d99e61b85e8a220bad1cd90a1e37cfe25aa1be6a9d54

Download Submit
memory/2324-7-0x00000000003C0000-0x00000000003E5000-memory.dmp

Filesize
148KB

Download
memory/2324-10-0x00000000003C0000-0x00000000003E5000-memory.dmp

Filesize
148KB

Download
memory/2600-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2652-29-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-33-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2792-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2792-35-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads