netwire | 593030d6a46702b5577e982f4c00c427766629211d85c88cbc4b5d17de639b7b

General

Target

4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
Size

685KB
MD5

4a345ff1d667f3fd5d76178149e97861
SHA1

1b0636c3d65c906bea35daccfe8b124faae02249
SHA256

593030d6a46702b5577e982f4c00c427766629211d85c88cbc4b5d17de639b7b
SHA512

d93f02548e2eb2cd0dc1a25a0a6e78f66b190b0dffa772f53ee1bd2c6725c41eaddb90a8e19bcfb1beff07b3b0c780904817f77f8802018440e7a132176f9fab
SSDEEP

12288:AVkUO8yIy581Qv8yIy581QfOjJ+AUdFG:aYn8m/n8m8Udw

Score

10^/10

netwire agilenet botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

watsonly.ddns.net:1191

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\WiaLogs\
lock_executable
false
mutex
NCPblmjG
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Windows Defender
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/memory/2072-8-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2072-9-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2072-10-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2072-14-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2072-16-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2072-21-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2760-54-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire
behavioral1/memory/2760-50-0x0000000000080000-0x00000000000AC000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 2 IoCs

pid	Process
2788	Host.exe
2760	Host.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1728-2-0x0000000000450000-0x0000000000478000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 2072	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	28
PID 2788 set thread context of 2760	2788	Host.exe	30

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
Token: SeDebugPrivilege	2788	Host.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2072	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	28
PID 1728 wrote to memory of 2072	1728	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	28
PID 2072 wrote to memory of 2788	2072	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	29
PID 2072 wrote to memory of 2788	2072	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	29
PID 2072 wrote to memory of 2788	2072	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	29
PID 2072 wrote to memory of 2788	2072	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	29
PID 2788 wrote to memory of 2760	2788	Host.exe	30
PID 2788 wrote to memory of 2760	2788	Host.exe	30
PID 2788 wrote to memory of 2760	2788	Host.exe	30
PID 2788 wrote to memory of 2760	2788	Host.exe	30
PID 2788 wrote to memory of 2760	2788	Host.exe	30
PID 2788 wrote to memory of 2760	2788	Host.exe	30
PID 2788 wrote to memory of 2760	2788	Host.exe	30
PID 2788 wrote to memory of 2760	2788	Host.exe	30
PID 2788 wrote to memory of 2760	2788	Host.exe	30
PID 2788 wrote to memory of 2760	2788	Host.exe	30
PID 2788 wrote to memory of 2760	2788	Host.exe	30

C:\Users\Admin\AppData\Local\Temp\4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Roaming\Install\Host.exe
    "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
      "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
685KB

MD5
4a345ff1d667f3fd5d76178149e97861

SHA1
1b0636c3d65c906bea35daccfe8b124faae02249

SHA256
593030d6a46702b5577e982f4c00c427766629211d85c88cbc4b5d17de639b7b

SHA512
d93f02548e2eb2cd0dc1a25a0a6e78f66b190b0dffa772f53ee1bd2c6725c41eaddb90a8e19bcfb1beff07b3b0c780904817f77f8802018440e7a132176f9fab

Download Submit
memory/1728-13-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x00000000009A0000-0x0000000000A54000-memory.dmp

Filesize
720KB

Download
memory/1728-2-0x0000000000450000-0x0000000000478000-memory.dmp

Filesize
160KB

Download
memory/1728-3-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/1728-4-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/1728-22-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/1728-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

Filesize
4KB

Download
memory/2072-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2072-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2072-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2072-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2072-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2072-7-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2072-6-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2072-21-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2072-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2072-5-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2760-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-50-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2760-54-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/2788-25-0x0000000000EA0000-0x0000000000F54000-memory.dmp

Filesize
720KB

Download
memory/2788-39-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/2788-28-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/2788-44-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/2788-27-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/2788-26-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/2788-55-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads