netwire | 593030d6a46702b5577e982f4c00c427766629211d85c88cbc4b5d17de639b7b

General

Target

4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
Size

685KB
MD5

4a345ff1d667f3fd5d76178149e97861
SHA1

1b0636c3d65c906bea35daccfe8b124faae02249
SHA256

593030d6a46702b5577e982f4c00c427766629211d85c88cbc4b5d17de639b7b
SHA512

d93f02548e2eb2cd0dc1a25a0a6e78f66b190b0dffa772f53ee1bd2c6725c41eaddb90a8e19bcfb1beff07b3b0c780904817f77f8802018440e7a132176f9fab
SSDEEP

12288:AVkUO8yIy581Qv8yIy581QfOjJ+AUdFG:aYn8m/n8m8Udw

Score

10^/10

netwire agilenet botnet persistence rat stealer

Malware Config

Extracted

Family

netwire

C2

watsonly.ddns.net:1191

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\WiaLogs\
lock_executable
false
mutex
NCPblmjG
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Windows Defender
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2364-8-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2364-12-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2364-14-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2592-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/2592-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

4764 Host.exe
2592 Host.exe

pid	process
4764	Host.exe
2592	Host.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4852-2-0x00000000056B0000-0x00000000056D8000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\Host.exe"	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exeHost.exe

description	pid	process	target process
PID 4852 set thread context of 2364	4852	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
PID 4764 set thread context of 2592	4764	Host.exe	Host.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exeHost.exe

description pid process

Token: SeDebugPrivilege 4852 4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
Token: SeDebugPrivilege 4764 Host.exe

description	pid	process
Token: SeDebugPrivilege	4852	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
Token: SeDebugPrivilege	4764	Host.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exeHost.exe

description	pid	process	target process
PID 4852 wrote to memory of 2364	4852	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
PID 4852 wrote to memory of 2364	4852	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
PID 4852 wrote to memory of 2364	4852	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
PID 4852 wrote to memory of 2364	4852	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
PID 4852 wrote to memory of 2364	4852	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
PID 4852 wrote to memory of 2364	4852	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
PID 4852 wrote to memory of 2364	4852	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
PID 4852 wrote to memory of 2364	4852	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
PID 4852 wrote to memory of 2364	4852	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
PID 4852 wrote to memory of 2364	4852	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
PID 2364 wrote to memory of 4764	2364	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	Host.exe
PID 2364 wrote to memory of 4764	2364	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	Host.exe
PID 2364 wrote to memory of 4764	2364	4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe	Host.exe
PID 4764 wrote to memory of 2592	4764	Host.exe	Host.exe
PID 4764 wrote to memory of 2592	4764	Host.exe	Host.exe
PID 4764 wrote to memory of 2592	4764	Host.exe	Host.exe
PID 4764 wrote to memory of 2592	4764	Host.exe	Host.exe
PID 4764 wrote to memory of 2592	4764	Host.exe	Host.exe
PID 4764 wrote to memory of 2592	4764	Host.exe	Host.exe
PID 4764 wrote to memory of 2592	4764	Host.exe	Host.exe
PID 4764 wrote to memory of 2592	4764	Host.exe	Host.exe
PID 4764 wrote to memory of 2592	4764	Host.exe	Host.exe
PID 4764 wrote to memory of 2592	4764	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852

C:\Users\Admin\AppData\Local\Temp\4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a345ff1d667f3fd5d76178149e97861_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
685KB

MD5
4a345ff1d667f3fd5d76178149e97861

SHA1
1b0636c3d65c906bea35daccfe8b124faae02249

SHA256
593030d6a46702b5577e982f4c00c427766629211d85c88cbc4b5d17de639b7b

SHA512
d93f02548e2eb2cd0dc1a25a0a6e78f66b190b0dffa772f53ee1bd2c6725c41eaddb90a8e19bcfb1beff07b3b0c780904817f77f8802018440e7a132176f9fab

Download Submit
memory/2364-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2364-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2364-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2592-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2592-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4764-20-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4764-18-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/4764-27-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4764-21-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/4852-3-0x0000000008220000-0x00000000087C4000-memory.dmp

Filesize
5.6MB

Download
memory/4852-5-0x0000000007C70000-0x0000000007D02000-memory.dmp

Filesize
584KB

Download
memory/4852-7-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/4852-19-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4852-4-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4852-0-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/4852-9-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/4852-2-0x00000000056B0000-0x00000000056D8000-memory.dmp

Filesize
160KB

Download
memory/4852-6-0x00000000080A0000-0x000000000813C000-memory.dmp

Filesize
624KB

Download
memory/4852-1-0x0000000000C70000-0x0000000000D24000-memory.dmp

Filesize
720KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads