netwire | e5e08a97973474e281d2f869760812bf31e80554a7bfaa28a35547e7b484fef6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

swift.exe
Size

227KB
MD5

21c0027924a5a4a70cd1e61220716224
SHA1

5546ef57a890ca54ee59f52a39d86ea3f24ffe0e
SHA256

cd309ad77ef0180c2c59bab487e90dc967fd0781ec10a4f5196a0fda75cac36d
SHA512

2571b525c8a9ac2abbe09fee720cbc1a4deb9aff288f75f9729475ae3497bcc4853e680015d7ea32d5f09b66425973fa564c0e51b7d10eeff91e369d3ed1ddf0
SSDEEP

6144:JpTfdT/KELr+ILii5Ea8NplE8AOcWRaIF2nYMg:JpTfp/KE3+ILkTplNUWkxYT

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

zicopele2018.sytes.net:3584

zicopele2018backup.sytes.net:3584

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
vkRChWpP
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral14/memory/3708-24-0x0000000005410000-0x000000000543C000-memory.dmp	netwire
behavioral14/memory/2264-26-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral14/memory/2264-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral14/memory/2264-31-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral14/memory/2264-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral14/memory/2264-39-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Drops startup file 1 IoCs

Processes:

swift.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ymbWet.url swift.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

swift.exe

description pid process target process

PID 3708 set thread context of 2264 3708 swift.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

swift.exe

pid process

3708 swift.exe
3708 swift.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

swift.exe

description pid process

Token: SeDebugPrivilege 3708 swift.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ymbWet.url	swift.exe

description	pid	process	target process
PID 3708 set thread context of 2264	3708	swift.exe	vbc.exe

pid	process
3708	swift.exe
3708	swift.exe

description	pid	process
Token: SeDebugPrivilege	3708	swift.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

swift.execsc.exe

description	pid	process	target process
PID 3708 wrote to memory of 992	3708	swift.exe	csc.exe
PID 3708 wrote to memory of 992	3708	swift.exe	csc.exe
PID 3708 wrote to memory of 992	3708	swift.exe	csc.exe
PID 992 wrote to memory of 3488	992	csc.exe	cvtres.exe
PID 992 wrote to memory of 3488	992	csc.exe	cvtres.exe
PID 992 wrote to memory of 3488	992	csc.exe	cvtres.exe
PID 3708 wrote to memory of 2264	3708	swift.exe	vbc.exe
PID 3708 wrote to memory of 2264	3708	swift.exe	vbc.exe
PID 3708 wrote to memory of 2264	3708	swift.exe	vbc.exe
PID 3708 wrote to memory of 2264	3708	swift.exe	vbc.exe
PID 3708 wrote to memory of 2264	3708	swift.exe	vbc.exe
PID 3708 wrote to memory of 2264	3708	swift.exe	vbc.exe
PID 3708 wrote to memory of 2264	3708	swift.exe	vbc.exe
PID 3708 wrote to memory of 2264	3708	swift.exe	vbc.exe
PID 3708 wrote to memory of 2264	3708	swift.exe	vbc.exe
PID 3708 wrote to memory of 2264	3708	swift.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\swift.exe
"C:\Users\Admin\AppData\Local\Temp\swift.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bkszsnzy\bkszsnzy.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES47D6.tmp" "c:\Users\Admin\AppData\Local\Temp\bkszsnzy\CSCE4B362DA68E4EB7917F876AD46EBF46.TMP"
3⤵
PID:3488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:2264

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES47D6.tmp
Filesize
1KB

MD5
457af003ef860e334d918d3e226ef508

SHA1
7a79735ad31db7139084fd5c401429b442b93186

SHA256
f4393d2177b47738f3d44ea3eb6bc72b7aaa610d37c50be36b34808a1416206a

SHA512
e3daffe07c7ae6a097bc1d8119b585889a6518ed99b4cbf74ffff78f93654cab396414ec2da1f8aec4e1284b7d752de9b96904a024333d7efa514f698bf1af3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkszsnzy\bkszsnzy.dll
Filesize
13KB

MD5
0fdbd86150e9eec01db26245644d08f3

SHA1
8f57ff509b6bac7722d9e3db415b8d365299b371

SHA256
4e37d2da745310bae986e03b734457ddae0299409d5267bbfc12db6e2880cb69

SHA512
02f9d10fc06d712f4a85452c1d3fae1c204030426e18b46930d7d9b480712ab79a25ac44262a5d9c83e8d2a0a66058b18fb9afe31151741b0793eec1f8786067

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkszsnzy\bkszsnzy.pdb
Filesize
39KB

MD5
bc5d2da2ca13f080fa91286319ca88b6

SHA1
0250cea08521da5df54eaeac07851ba1ee4055c8

SHA256
03fa1f9c796a89bc3f9015bfc439c8434c77eb9ee536929ac8352d5e53d54b31

SHA512
607f7ab43acec313f80410bf932d7a77d9efb838cbb035531daaebd71e8119a5d2d5efcfec865c7805e3442684cbfc9cfaf8ef2343f7daa7e76a00fef80dea9b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkszsnzy\CSCE4B362DA68E4EB7917F876AD46EBF46.TMP
Filesize
1KB

MD5
f7836c4238be1841ce947f5e0886dfb4

SHA1
38b887c0120db766d9adb5d1beb59109849c0454

SHA256
1e9aeefe0ada1d1290565e3f5c0c29a6f76a2c5f23c4480592d28214b2f3016b

SHA512
fa47a877a79368ac3c89b169d9c16b3ccf1960352c56982e236520825d336975a3d5da216329044ba4e43d53d962b4c0ed2a4856148fc2611d8f7ee125129c20

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkszsnzy\bkszsnzy.0.cs
Filesize
23KB

MD5
f836341851788bcc914ee5b7c184806f

SHA1
cc4f180e695f1036498bc7a16d0f1885b0c5af4f

SHA256
426571217dc194753b55e1a1d51ed64c3606590c7cd7557d5925b6d6bb7b3364

SHA512
d6b64906ac580c682141a545ac025433708bc1fc8cc9f65da3d5d21ed1ec6e4ed559102ce82daf996277bb86597c767ec0eab9d954e728d0743c82138ffa0a58

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bkszsnzy\bkszsnzy.cmdline
Filesize
312B

MD5
4d7f81e75a9e0bf6da7884b2405764f9

SHA1
3084d97bb6d73ee9dacf543b06ac0ef3e67f42f5

SHA256
4d4fdbb64c738fd46162e2513442184a3a450b27430b471e1f8d83cb778d34ac

SHA512
3f45c672999370cabdecdb6cb2798f5bec7b9239285ac8346acab8511de79864899958f15c4a6f778c6b2059e539f02bbba443e4bb3dbb53d92e3c74c573c339

Download Submit
memory/2264-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2264-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2264-39-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2264-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2264-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3708-24-0x0000000005410000-0x000000000543C000-memory.dmp

Filesize
176KB

Download
memory/3708-21-0x00000000052C0000-0x00000000052CC000-memory.dmp

Filesize
48KB

Download
memory/3708-5-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3708-25-0x00000000059C0000-0x0000000005A5C000-memory.dmp

Filesize
624KB

Download
memory/3708-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/3708-30-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/3708-20-0x00000000053C0000-0x00000000053F2000-memory.dmp

Filesize
200KB

Download
memory/3708-19-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/3708-17-0x0000000002BB0000-0x0000000002BBA000-memory.dmp

Filesize
40KB

Download
memory/3708-1-0x0000000000880000-0x00000000008BE000-memory.dmp

Filesize
248KB

Download