netwire | e5e08a97973474e281d2f869760812bf31e80554a7bfaa28a35547e7b484fef6

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

swift.exe
Size

227KB
MD5

21c0027924a5a4a70cd1e61220716224
SHA1

5546ef57a890ca54ee59f52a39d86ea3f24ffe0e
SHA256

cd309ad77ef0180c2c59bab487e90dc967fd0781ec10a4f5196a0fda75cac36d
SHA512

2571b525c8a9ac2abbe09fee720cbc1a4deb9aff288f75f9729475ae3497bcc4853e680015d7ea32d5f09b66425973fa564c0e51b7d10eeff91e369d3ed1ddf0
SSDEEP

6144:JpTfdT/KELr+ILii5Ea8NplE8AOcWRaIF2nYMg:JpTfp/KE3+ILkTplNUWkxYT

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

zicopele2018.sytes.net:3584

zicopele2018backup.sytes.net:3584

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
vkRChWpP
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral13/memory/1096-23-0x0000000004070000-0x000000000409C000-memory.dmp	netwire
behavioral13/memory/2584-38-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral13/memory/2584-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral13/memory/2584-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral13/memory/2584-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral13/memory/2584-41-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral13/memory/2584-40-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral13/memory/2584-43-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral13/memory/2584-50-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Drops startup file 1 IoCs

Processes:

swift.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ymbWet.url swift.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

swift.exe

description pid process target process

PID 1096 set thread context of 2584 1096 swift.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

swift.exe

pid process

1096 swift.exe
1096 swift.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

swift.exe

description pid process

Token: SeDebugPrivilege 1096 swift.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ymbWet.url	swift.exe

description	pid	process	target process
PID 1096 set thread context of 2584	1096	swift.exe	vbc.exe

pid	process
1096	swift.exe
1096	swift.exe

description	pid	process
Token: SeDebugPrivilege	1096	swift.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

swift.execsc.exe

description	pid	process	target process
PID 1096 wrote to memory of 1068	1096	swift.exe	csc.exe
PID 1096 wrote to memory of 1068	1096	swift.exe	csc.exe
PID 1096 wrote to memory of 1068	1096	swift.exe	csc.exe
PID 1096 wrote to memory of 1068	1096	swift.exe	csc.exe
PID 1068 wrote to memory of 2524	1068	csc.exe	cvtres.exe
PID 1068 wrote to memory of 2524	1068	csc.exe	cvtres.exe
PID 1068 wrote to memory of 2524	1068	csc.exe	cvtres.exe
PID 1068 wrote to memory of 2524	1068	csc.exe	cvtres.exe
PID 1096 wrote to memory of 2584	1096	swift.exe	vbc.exe
PID 1096 wrote to memory of 2584	1096	swift.exe	vbc.exe
PID 1096 wrote to memory of 2584	1096	swift.exe	vbc.exe
PID 1096 wrote to memory of 2584	1096	swift.exe	vbc.exe
PID 1096 wrote to memory of 2584	1096	swift.exe	vbc.exe
PID 1096 wrote to memory of 2584	1096	swift.exe	vbc.exe
PID 1096 wrote to memory of 2584	1096	swift.exe	vbc.exe
PID 1096 wrote to memory of 2584	1096	swift.exe	vbc.exe
PID 1096 wrote to memory of 2584	1096	swift.exe	vbc.exe
PID 1096 wrote to memory of 2584	1096	swift.exe	vbc.exe
PID 1096 wrote to memory of 2584	1096	swift.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\swift.exe
"C:\Users\Admin\AppData\Local\Temp\swift.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0yugky0v\0yugky0v.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2904.tmp" "c:\Users\Admin\AppData\Local\Temp\0yugky0v\CSCD3C07FD6CC504A2BABD3C3B9B462FFEC.TMP"
3⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0yugky0v\0yugky0v.dll
Filesize
13KB

MD5
cf21f0a5f7b5cbdf0e86ede9ded434f7

SHA1
2029cd4ec0a92e27d283b858af341d8c597e0d2c

SHA256
aabfee247c66f94da937122a95ebf9318e4d080b0ec9731e0cd07eddfa5699aa

SHA512
f7f036923a0dc5d5104dc8320924fd56971082d74c160b579352dfb575e701c7be430a7a3e6c10697588d63e13ada829560cb55cc880c028854dd32389e4acde

Download Submit
C:\Users\Admin\AppData\Local\Temp\0yugky0v\0yugky0v.pdb
Filesize
39KB

MD5
57ef146ccd5d925d8ee6ea0821bfe032

SHA1
2ca6ae773ed568a76adaca1e2b58dc726e9543b7

SHA256
746c1ef2f55e03c2101676c2edab86a729352f540f3212993f69b01617201b0b

SHA512
341af79c790c316f3c008a86b76e30bba802f74962255621646013d83df69a4fbf18693e9ca0a66c2cc8a5d1da9172ff44c142bed10f8dff55d21bb9e5ad0d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2904.tmp
Filesize
1KB

MD5
65b97373db195ccbb4dd0df97204dba5

SHA1
355ac6e3dd448c86e107b0bcc5f8ff7f3b520852

SHA256
088101de1a26c1ddcccdce315bd61152495be6fc8e68246d6f0330b3d459eaca

SHA512
d5a4afa5340c7821c33d150f00e5c10ed187a308979287121280bb339910094532aeb68b7f0a4c50229c1d4eb03081a831207f552dec4f6dda8a93146e2f5ae2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0yugky0v\0yugky0v.0.cs
Filesize
23KB

MD5
f836341851788bcc914ee5b7c184806f

SHA1
cc4f180e695f1036498bc7a16d0f1885b0c5af4f

SHA256
426571217dc194753b55e1a1d51ed64c3606590c7cd7557d5925b6d6bb7b3364

SHA512
d6b64906ac580c682141a545ac025433708bc1fc8cc9f65da3d5d21ed1ec6e4ed559102ce82daf996277bb86597c767ec0eab9d954e728d0743c82138ffa0a58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0yugky0v\0yugky0v.cmdline
Filesize
312B

MD5
6a669826547eaf74693a55bd1df2aac3

SHA1
3b700e7cdb00d003a9560ab47065e5db94eb791b

SHA256
e53729ce0fb9f1a316c7e429467f0729109c2e2b594692f95ac89301d94e5252

SHA512
c519b850d5e717ed90cd7cacb57013d5fbb228acb1f85098b2f7b50715e46e6505762e73d047240062cc9d61d9e76536e18e6363e5ecce9dd2b07b2c86809739

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0yugky0v\CSCD3C07FD6CC504A2BABD3C3B9B462FFEC.TMP
Filesize
1KB

MD5
bf081ec260e8af0cb63d499b41ae896a

SHA1
e0a59f5699a32c4d1945ca0f5730331478261214

SHA256
005637d12533a42449b732aa96a75a4572c18adfe2ccedce257b44a846e7188d

SHA512
065ae39abd37f8de1c2ad19ed86fde704f70a2646ba461e7cd92b22a18d3ce45db6d930bff151af2b0da3512bc0b8a805d4959a6c9b4bc8c3ecc355a671a28c5

Download Submit
memory/1096-23-0x0000000004070000-0x000000000409C000-memory.dmp

Filesize
176KB

Download
memory/1096-5-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/1096-1-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/1096-17-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/1096-19-0x0000000001F00000-0x0000000001F32000-memory.dmp

Filesize
200KB

Download
memory/1096-20-0x0000000001D90000-0x0000000001D9C000-memory.dmp

Filesize
48KB

Download
memory/1096-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/1096-42-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2584-38-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2584-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2584-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2584-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2584-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2584-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2584-41-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2584-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-40-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2584-43-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2584-50-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download