netwire | a4a8cca75b62ca120cda2043d5cb7ea48bfba05da6bf9cd58f6af101151e0634

General

Target

59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe
Size

228KB
MD5

59b5865ebfc97a5f60613ec1215a0cac
SHA1

4b24442a00ed2954538164f5f0537f60adde0a0b
SHA256

a4a8cca75b62ca120cda2043d5cb7ea48bfba05da6bf9cd58f6af101151e0634
SHA512

74de4eb07b330247bda011b2e8a0104a21b90252a77db3e18e3813518d2ee31d4c1b962c4e8bbd4e65a9923c2197d9557c78e152a47d2fa8e526b831d87df6c2
SSDEEP

6144:FmvcIPl07bAHPcdS/mG4U9cozMsYbVW8M6F:FmvcIPl07bAHPcdymTBbV/M6F

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/memory/3568-24-0x0000000005830000-0x000000000585C000-memory.dmp	netwire
behavioral2/memory/3652-26-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3652-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3652-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3652-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3652-39-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qIZRyx.url	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3568 set thread context of 3652	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe
3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 1572	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	84
PID 3568 wrote to memory of 1572	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	84
PID 3568 wrote to memory of 1572	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	84
PID 1572 wrote to memory of 4644	1572	csc.exe	86
PID 1572 wrote to memory of 4644	1572	csc.exe	86
PID 1572 wrote to memory of 4644	1572	csc.exe	86
PID 3568 wrote to memory of 3652	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	87
PID 3568 wrote to memory of 3652	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	87
PID 3568 wrote to memory of 3652	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	87
PID 3568 wrote to memory of 3652	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	87
PID 3568 wrote to memory of 3652	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	87
PID 3568 wrote to memory of 3652	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	87
PID 3568 wrote to memory of 3652	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	87
PID 3568 wrote to memory of 3652	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	87
PID 3568 wrote to memory of 3652	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	87
PID 3568 wrote to memory of 3652	3568	59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\59b5865ebfc97a5f60613ec1215a0cac_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iwposhav\iwposhav.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AB5.tmp" "c:\Users\Admin\AppData\Local\Temp\iwposhav\CSCBF8223628C574230BFA681E9314597D1.TMP"
    3⤵
    PID:4644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4AB5.tmp

Filesize
1KB

MD5
ac507da93c27b5a1c6184b895e043779

SHA1
5f8baa4304bbd49d380146011ac93b87d434ad36

SHA256
73fa1544c221f608ad0cb201d97b5121736d488a037cf68fe5016448568276c8

SHA512
b538e35d43f88c032d1a2f1ddaa577cf76005c129839979a7d533635e23a71086e6507357874198519e27d8567b4961ce93c8c268ed9d5934567b833c1c15ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwposhav\iwposhav.dll

Filesize
13KB

MD5
04816547eaf9abcc2738e14a880a0909

SHA1
0d7465d93ea36b3fb8de92c37d56e4982f2b1676

SHA256
57d3495009facecb48d6fba38504f36993247d3dd3d1b04a1e9491655563c572

SHA512
ea3227452adb5dd9abd722c80b7c49d2e3e5697f734ceeb4a6dcc0e0e65954a09d3aa42c3e5175caac7fbff6934fce87e68cb4ca105540a8ef4cb25126f91004

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwposhav\iwposhav.pdb

Filesize
39KB

MD5
8c57e15aca7009c6c57dc467dbd98c67

SHA1
462ebb43945f18e9f73b41fee029ff6e39eaaf38

SHA256
db1e575815790fb9870650318b398e190d2caa134eac8d8441093b3a1298e567

SHA512
0631e40a1fbc380f4ae133d232c1ed79bb4d7a40ea6d54d5654d10db7e89eb97716dc8d7fdd7e2aa68ecf44fc405b91c498b9bcf5ccae356f3c085b615bd2551

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iwposhav\CSCBF8223628C574230BFA681E9314597D1.TMP

Filesize
1KB

MD5
338a3e3ce11476c0a35ea1528ac91623

SHA1
a02f14b77a024a23d0e28678a0795d3af88c9252

SHA256
53e7b486caf3cc034ba2ef9e5c2106f2c6a77aae8d11a0853a2694350740f954

SHA512
dbeaa5245f72801f74170033f34d47e7098e2ca9a11288e9254217594cea4ee245e16f2fc7aa41a34edfacb8dba394884050448c71da90536b7fb35b785d8e04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iwposhav\iwposhav.0.cs

Filesize
23KB

MD5
1f0fa9f72871b64abd914263debfee66

SHA1
84a520e95ce5db685cb9c99f6416b1552bd7ab85

SHA256
07941407df2f3b23aeebbf700083235d8c50e8311a9fb77e5d196c09a466ad38

SHA512
ee572879a2cb289430efa4ab9305a42ac612f9f6b9efeac8422c1bfd25616f3ee2545008fa8b163529d4194c44b66c0dd812957fbb38aa5cee1346f3d6260af9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iwposhav\iwposhav.cmdline

Filesize
312B

MD5
02cdc6c767f4fc9ea40c47b76e40532d

SHA1
924c616dbed2f1a95815a4404c79855927381f87

SHA256
ed2378e210a2ae35b935970fb50d09ba9fd9af43fa533c414dd8c0ab73d01bd4

SHA512
5c53435e9685b192a14260d9ae3de55971ccfc47f7edf9d5706814863ed7b43ea53af6b04560d2eb361a7ea2f7dbde3ff145de996707726fb6909668c4f21fe2

Download Submit
memory/3568-19-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/3568-24-0x0000000005830000-0x000000000585C000-memory.dmp

Filesize
176KB

Download
memory/3568-1-0x00000000009B0000-0x00000000009EE000-memory.dmp

Filesize
248KB

Download
memory/3568-17-0x00000000052A0000-0x00000000052AA000-memory.dmp

Filesize
40KB

Download
memory/3568-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/3568-20-0x00000000056D0000-0x0000000005702000-memory.dmp

Filesize
200KB

Download
memory/3568-21-0x0000000005340000-0x000000000534C000-memory.dmp

Filesize
48KB

Download
memory/3568-5-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/3568-25-0x0000000005AB0000-0x0000000005B4C000-memory.dmp

Filesize
624KB

Download
memory/3568-31-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/3652-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3652-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3652-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3652-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3652-39-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing