netwire | e5e08a97973474e281d2f869760812bf31e80554a7bfaa28a35547e7b484fef6

Analysis

max time kernel
141s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24.exe
Size

231KB
MD5

260b768a03390af34cf4d91ced33fb0e
SHA1

19022cee29e978d9e56af5931421c115c522ee31
SHA256

d4103e933d33c9257967b632f9c4cedc5f57e15abd2c0357ce7e9966881cc97d
SHA512

05fd9b1eba3f4217b49b4b7eed58634eb7cf944dfa367a0e868c15862a3399e6e874754ab9ffda785a47a7b850d6e24bc777ba55fe47c1405cd28534869841c3
SSDEEP

3072:2xfqOcLw3jpU6+NAs9ejLSxKy2jSb/DCKvNSs7ZAHS6vYAdz7QgRrYEaFxuAc2:wqOPzpU6+NCLSK8GBcZAHStYXRrYHc2

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3556-24-0x0000000005CC0000-0x0000000005CEC000-memory.dmp	netwire
behavioral2/memory/408-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/408-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/408-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/408-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/408-39-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Drops startup file 1 IoCs

Processes:

24.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tEsQxF.url 24.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

24.exe

description pid process target process

PID 3556 set thread context of 408 3556 24.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

24.exe

pid process

3556 24.exe
3556 24.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

24.exe

description pid process

Token: SeDebugPrivilege 3556 24.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tEsQxF.url	24.exe

description	pid	process	target process
PID 3556 set thread context of 408	3556	24.exe	vbc.exe

pid	process
3556	24.exe
3556	24.exe

description	pid	process
Token: SeDebugPrivilege	3556	24.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

24.execsc.exe

description	pid	process	target process
PID 3556 wrote to memory of 4444	3556	24.exe	csc.exe
PID 3556 wrote to memory of 4444	3556	24.exe	csc.exe
PID 3556 wrote to memory of 4444	3556	24.exe	csc.exe
PID 4444 wrote to memory of 3384	4444	csc.exe	cvtres.exe
PID 4444 wrote to memory of 3384	4444	csc.exe	cvtres.exe
PID 4444 wrote to memory of 3384	4444	csc.exe	cvtres.exe
PID 3556 wrote to memory of 408	3556	24.exe	vbc.exe
PID 3556 wrote to memory of 408	3556	24.exe	vbc.exe
PID 3556 wrote to memory of 408	3556	24.exe	vbc.exe
PID 3556 wrote to memory of 408	3556	24.exe	vbc.exe
PID 3556 wrote to memory of 408	3556	24.exe	vbc.exe
PID 3556 wrote to memory of 408	3556	24.exe	vbc.exe
PID 3556 wrote to memory of 408	3556	24.exe	vbc.exe
PID 3556 wrote to memory of 408	3556	24.exe	vbc.exe
PID 3556 wrote to memory of 408	3556	24.exe	vbc.exe
PID 3556 wrote to memory of 408	3556	24.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\24.exe
"C:\Users\Admin\AppData\Local\Temp\24.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0j4axnoz\0j4axnoz.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38E2.tmp" "c:\Users\Admin\AppData\Local\Temp\0j4axnoz\CSC812B946C87DE4EFC924A0A4555BECE.TMP"
3⤵
PID:3384

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0j4axnoz\0j4axnoz.dll
Filesize
14KB

MD5
d14b781826e2425e87e45e522a11deab

SHA1
05c6d492332447f0eb391213f584e9691d47272a

SHA256
8f511ce7bc085ca8aa7f0baf1f5994a1bec50e40fec6e2fee2d16df7dca67485

SHA512
e256941a2d6332edcdaccfff27954a1ef79abee05cfdd7d9eae5c8fd33088dd26e2479185217aba622823d32d7c58519218ee6d7f79baf5830a602ca06b5c669

Download Submit
C:\Users\Admin\AppData\Local\Temp\0j4axnoz\0j4axnoz.pdb
Filesize
49KB

MD5
a51d83561f415f888128b40b0cf67cd8

SHA1
9b4e7759abe186791d762fb40907445f4521cfbe

SHA256
24c68106bd1af1ec0d2061563548bbf6f000a3f5d7850b2bf53d10913a7b22f7

SHA512
de43ff18aab5c4636f94ab0e952f9b409879f49c7a292e0eb7d2dedb07648562981ed58cafc8919755466d54343bfaff7186438a07543bfbdbc7e5eb3224ceed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES38E2.tmp
Filesize
1KB

MD5
7bd19ae6692e3d3c79b64da9803e6168

SHA1
b4e93124170faa4bd193655c79318c214695161e

SHA256
864ad28587e8a354cdf598945823a5a35dd541b8e70c16978448fef1f3236d4e

SHA512
b25dcdf2be8083ccfe1ee7e588b4281715c8f0a3f0903a011c657c57741ddf1414eabe85624d1d9b6d02fe31599578eddb40ec4eb11f18cc97ecfc830745abb2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0j4axnoz\0j4axnoz.0.cs
Filesize
28KB

MD5
775bb4ff684fb0f6da487cc2420a3f6a

SHA1
9fbc1385b325aaa6b0677fc0690094e5711cd719

SHA256
4ece1996c472ceb3dd020487771dfdcabddc1e12503b4a31d099e3ef5f649c3a

SHA512
8786a6108139f210131565526c2561f425b5a39fc9036e0fbbea30e83f8f54bce4ae44503ad6f720713a3162e97eeeb41803da0ff236690da1a34ac69ecb0929

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0j4axnoz\0j4axnoz.cmdline
Filesize
312B

MD5
fb9261ce88ff55222654706418a2999d

SHA1
cf520154b9682ff8dfd98dd8c2b7df281973a5f5

SHA256
57fb562c042f6b2c8a70df0c423a5da44f460177d90150abce8289a6be7dfe3e

SHA512
6b46f599d25b68789e361132221c7cdf08ea5c1510f58f85c4b552815c1a37ac3c9d2979d381be6f819ce6962ab594047d8715d61c8cd1e92f009c2db14edab2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0j4axnoz\CSC812B946C87DE4EFC924A0A4555BECE.TMP
Filesize
1KB

MD5
b7d23888a16043634ed7fbece2658e5c

SHA1
b873694a7a1d6d1d519aee0ffedde94acd0531b1

SHA256
78d2675a99cb5a8c4481d96043582e496ec5eb56c5ef4b9c4382ad5baa2d7f5f

SHA512
4bd28450e8776938dffc7d88cf4642c368120739742d8808d1bcd5468470b678f74613e1fd1fe3b81e5225073326786e031106d12789c75d7307b43159b91b27

Download Submit
memory/408-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/408-39-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/408-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/408-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/408-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3556-17-0x0000000003260000-0x000000000326A000-memory.dmp

Filesize
40KB

Download
memory/3556-21-0x0000000005A10000-0x0000000005A1C000-memory.dmp

Filesize
48KB

Download
memory/3556-24-0x0000000005CC0000-0x0000000005CEC000-memory.dmp

Filesize
176KB

Download
memory/3556-25-0x0000000005F40000-0x0000000005FDC000-memory.dmp

Filesize
624KB

Download
memory/3556-20-0x0000000005C80000-0x0000000005CB2000-memory.dmp

Filesize
200KB

Download
memory/3556-1-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/3556-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/3556-31-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download
memory/3556-19-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/3556-5-0x0000000074C10000-0x00000000753C0000-memory.dmp

Filesize
7.7MB

Download