netwire | 8179e523d196826f89bf5850d4d6a3dc6ec6ebf8240f3e6c9dfb5b619f1d6f49

General

Target

04f74088eccf00f8b5f064e40d23ca50.exe
Size

1.3MB
MD5

04f74088eccf00f8b5f064e40d23ca50
SHA1

49d23212f6c8ac9571f4f2b76dc1e9d94bdd3484
SHA256

8179e523d196826f89bf5850d4d6a3dc6ec6ebf8240f3e6c9dfb5b619f1d6f49
SHA512

f139786a54aa5a2dd798934cd5589f19cbb936d93fa9438e599b2db78ac4f5bbe2f5c3dfafdf93e216100c11391376d13961251a17cda1e5b17487f280af8001
SSDEEP

24576:Ku6J33O0c+JY5UZ+XC0kGso6Fa720W4njUprvVcC1f2o5RRfgUWY0:8u0c++OCvkGs9Fa+rd1f26RaY0

Score

10^/10

netwire warzonerat botnet infostealer rat stealer

Malware Config

Extracted

Family

netwire

C2

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

C2

wealth.warzonedns.com:5202

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Blasthost.exe	netwire
behavioral1/memory/2216-23-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1704-45-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	netwire
behavioral1/memory/1432-86-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1704-89-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2664-38-0x0000000000080000-0x000000000009D000-memory.dmp	warzonerat
behavioral1/memory/2664-29-0x0000000000080000-0x000000000009D000-memory.dmp	warzonerat

Executes dropped EXE 8 IoCs

Processes:

Blasthost.exeHost.exeRtDCpl64.exeBlasthost.exeRtDCpl64.exeRtDCpl64.exeBlasthost.exeRtDCpl64.exe

pid process

2216 Blasthost.exe
1704 Host.exe
240 RtDCpl64.exe
1432 Blasthost.exe
404 RtDCpl64.exe
2096 RtDCpl64.exe
1556 Blasthost.exe
1680 RtDCpl64.exe

pid	process
2216	Blasthost.exe
1704	Host.exe
240	RtDCpl64.exe
1432	Blasthost.exe
404	RtDCpl64.exe
2096	RtDCpl64.exe
1556	Blasthost.exe
1680	RtDCpl64.exe

Loads dropped DLL 13 IoCs

Processes:

04f74088eccf00f8b5f064e40d23ca50.exeBlasthost.exeRtDCpl64.exeRtDCpl64.exe

pid	process
2416	04f74088eccf00f8b5f064e40d23ca50.exe
2416	04f74088eccf00f8b5f064e40d23ca50.exe
2416	04f74088eccf00f8b5f064e40d23ca50.exe
2416	04f74088eccf00f8b5f064e40d23ca50.exe
2216	Blasthost.exe
2216	Blasthost.exe
240	RtDCpl64.exe
240	RtDCpl64.exe
240	RtDCpl64.exe
240	RtDCpl64.exe
2096	RtDCpl64.exe
2096	RtDCpl64.exe
2096	RtDCpl64.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

04f74088eccf00f8b5f064e40d23ca50.exeRtDCpl64.exeRtDCpl64.exe

description	pid	process	target process
PID 2416 set thread context of 2664	2416	04f74088eccf00f8b5f064e40d23ca50.exe	04f74088eccf00f8b5f064e40d23ca50.exe
PID 240 set thread context of 404	240	RtDCpl64.exe	RtDCpl64.exe
PID 2096 set thread context of 1680	2096	RtDCpl64.exe	RtDCpl64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2060 schtasks.exe
2736 schtasks.exe
360 schtasks.exe

pid	process
2060	schtasks.exe
2736	schtasks.exe
360	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04f74088eccf00f8b5f064e40d23ca50.exeBlasthost.exe04f74088eccf00f8b5f064e40d23ca50.exetaskeng.exeRtDCpl64.exeRtDCpl64.exeRtDCpl64.exeRtDCpl64.exe

description	pid	process	target process
PID 2416 wrote to memory of 2216	2416	04f74088eccf00f8b5f064e40d23ca50.exe	Blasthost.exe
PID 2416 wrote to memory of 2216	2416	04f74088eccf00f8b5f064e40d23ca50.exe	Blasthost.exe
PID 2416 wrote to memory of 2216	2416	04f74088eccf00f8b5f064e40d23ca50.exe	Blasthost.exe
PID 2416 wrote to memory of 2216	2416	04f74088eccf00f8b5f064e40d23ca50.exe	Blasthost.exe
PID 2216 wrote to memory of 1704	2216	Blasthost.exe	Host.exe
PID 2216 wrote to memory of 1704	2216	Blasthost.exe	Host.exe
PID 2216 wrote to memory of 1704	2216	Blasthost.exe	Host.exe
PID 2216 wrote to memory of 1704	2216	Blasthost.exe	Host.exe
PID 2416 wrote to memory of 2664	2416	04f74088eccf00f8b5f064e40d23ca50.exe	04f74088eccf00f8b5f064e40d23ca50.exe
PID 2416 wrote to memory of 2664	2416	04f74088eccf00f8b5f064e40d23ca50.exe	04f74088eccf00f8b5f064e40d23ca50.exe
PID 2416 wrote to memory of 2664	2416	04f74088eccf00f8b5f064e40d23ca50.exe	04f74088eccf00f8b5f064e40d23ca50.exe
PID 2416 wrote to memory of 2664	2416	04f74088eccf00f8b5f064e40d23ca50.exe	04f74088eccf00f8b5f064e40d23ca50.exe
PID 2416 wrote to memory of 2664	2416	04f74088eccf00f8b5f064e40d23ca50.exe	04f74088eccf00f8b5f064e40d23ca50.exe
PID 2416 wrote to memory of 2664	2416	04f74088eccf00f8b5f064e40d23ca50.exe	04f74088eccf00f8b5f064e40d23ca50.exe
PID 2416 wrote to memory of 2060	2416	04f74088eccf00f8b5f064e40d23ca50.exe	schtasks.exe
PID 2416 wrote to memory of 2060	2416	04f74088eccf00f8b5f064e40d23ca50.exe	schtasks.exe
PID 2416 wrote to memory of 2060	2416	04f74088eccf00f8b5f064e40d23ca50.exe	schtasks.exe
PID 2416 wrote to memory of 2060	2416	04f74088eccf00f8b5f064e40d23ca50.exe	schtasks.exe
PID 2664 wrote to memory of 2720	2664	04f74088eccf00f8b5f064e40d23ca50.exe	cmd.exe
PID 2664 wrote to memory of 2720	2664	04f74088eccf00f8b5f064e40d23ca50.exe	cmd.exe
PID 2664 wrote to memory of 2720	2664	04f74088eccf00f8b5f064e40d23ca50.exe	cmd.exe
PID 2664 wrote to memory of 2720	2664	04f74088eccf00f8b5f064e40d23ca50.exe	cmd.exe
PID 2664 wrote to memory of 2720	2664	04f74088eccf00f8b5f064e40d23ca50.exe	cmd.exe
PID 2664 wrote to memory of 2720	2664	04f74088eccf00f8b5f064e40d23ca50.exe	cmd.exe
PID 1824 wrote to memory of 240	1824	taskeng.exe	RtDCpl64.exe
PID 1824 wrote to memory of 240	1824	taskeng.exe	RtDCpl64.exe
PID 1824 wrote to memory of 240	1824	taskeng.exe	RtDCpl64.exe
PID 1824 wrote to memory of 240	1824	taskeng.exe	RtDCpl64.exe
PID 240 wrote to memory of 1432	240	RtDCpl64.exe	Blasthost.exe
PID 240 wrote to memory of 1432	240	RtDCpl64.exe	Blasthost.exe
PID 240 wrote to memory of 1432	240	RtDCpl64.exe	Blasthost.exe
PID 240 wrote to memory of 1432	240	RtDCpl64.exe	Blasthost.exe
PID 240 wrote to memory of 404	240	RtDCpl64.exe	RtDCpl64.exe
PID 240 wrote to memory of 404	240	RtDCpl64.exe	RtDCpl64.exe
PID 240 wrote to memory of 404	240	RtDCpl64.exe	RtDCpl64.exe
PID 240 wrote to memory of 404	240	RtDCpl64.exe	RtDCpl64.exe
PID 240 wrote to memory of 404	240	RtDCpl64.exe	RtDCpl64.exe
PID 240 wrote to memory of 404	240	RtDCpl64.exe	RtDCpl64.exe
PID 240 wrote to memory of 2736	240	RtDCpl64.exe	schtasks.exe
PID 240 wrote to memory of 2736	240	RtDCpl64.exe	schtasks.exe
PID 240 wrote to memory of 2736	240	RtDCpl64.exe	schtasks.exe
PID 240 wrote to memory of 2736	240	RtDCpl64.exe	schtasks.exe
PID 404 wrote to memory of 1672	404	RtDCpl64.exe	cmd.exe
PID 404 wrote to memory of 1672	404	RtDCpl64.exe	cmd.exe
PID 404 wrote to memory of 1672	404	RtDCpl64.exe	cmd.exe
PID 404 wrote to memory of 1672	404	RtDCpl64.exe	cmd.exe
PID 404 wrote to memory of 1672	404	RtDCpl64.exe	cmd.exe
PID 404 wrote to memory of 1672	404	RtDCpl64.exe	cmd.exe
PID 1824 wrote to memory of 2096	1824	taskeng.exe	RtDCpl64.exe
PID 1824 wrote to memory of 2096	1824	taskeng.exe	RtDCpl64.exe
PID 1824 wrote to memory of 2096	1824	taskeng.exe	RtDCpl64.exe
PID 1824 wrote to memory of 2096	1824	taskeng.exe	RtDCpl64.exe
PID 2096 wrote to memory of 1556	2096	RtDCpl64.exe	Blasthost.exe
PID 2096 wrote to memory of 1556	2096	RtDCpl64.exe	Blasthost.exe
PID 2096 wrote to memory of 1556	2096	RtDCpl64.exe	Blasthost.exe
PID 2096 wrote to memory of 1556	2096	RtDCpl64.exe	Blasthost.exe
PID 2096 wrote to memory of 1680	2096	RtDCpl64.exe	RtDCpl64.exe
PID 2096 wrote to memory of 1680	2096	RtDCpl64.exe	RtDCpl64.exe
PID 2096 wrote to memory of 1680	2096	RtDCpl64.exe	RtDCpl64.exe
PID 2096 wrote to memory of 1680	2096	RtDCpl64.exe	RtDCpl64.exe
PID 2096 wrote to memory of 1680	2096	RtDCpl64.exe	RtDCpl64.exe
PID 2096 wrote to memory of 1680	2096	RtDCpl64.exe	RtDCpl64.exe
PID 1680 wrote to memory of 548	1680	RtDCpl64.exe	cmd.exe
PID 1680 wrote to memory of 548	1680	RtDCpl64.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\04f74088eccf00f8b5f064e40d23ca50.exe
"C:\Users\Admin\AppData\Local\Temp\04f74088eccf00f8b5f064e40d23ca50.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
3⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\Temp\04f74088eccf00f8b5f064e40d23ca50.exe
"C:\Users\Admin\AppData\Local\Temp\04f74088eccf00f8b5f064e40d23ca50.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2720

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\taskeng.exe
taskeng.exe {205CBF31-44D5-4AC0-A80B-D644638108D4} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:240

C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
3⤵
- Executes dropped EXE
PID:1432

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:1672

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:2736

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Roaming\Blasthost.exe
"C:\Users\Admin\AppData\Roaming\Blasthost.exe"
3⤵
- Executes dropped EXE
PID:1556

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:548

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
Filesize
1.3MB

MD5
671a37104f8425ad1c6252601cc20844

SHA1
d3f94a8a5b92af89dc7c9e9d6dfdf8cf425132ff

SHA256
4fd1a50879656532610a4876ff417946c55e1bb719c45e451185fc96f3f330fb

SHA512
c9b112bbed0052c2b5b8ebfcf180a9ac1bf09dbbf216d923390175b93ec94ba1e87ccb60935ae73854a82f9776141e5f0f0507033ba676f725277b5833c0a784

Download Submit
\Users\Admin\AppData\Roaming\Blasthost.exe
Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
memory/404-75-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/548-115-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1432-86-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1672-81-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1704-89-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1704-45-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2216-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2416-25-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2664-29-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/2664-26-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/2664-35-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-38-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/2720-40-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2720-42-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads