netwire | e5e08a97973474e281d2f869760812bf31e80554a7bfaa28a35547e7b484fef6

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7.exe
Size

216KB
MD5

2a02f52b64bb0b2ffce4fb81b4517c7c
SHA1

b3a46bb392a8b40c12ac046dfdc3572132155aab
SHA256

c5b7e21f19493fed30675f86df39c69fbc3a8a4617d1d85ac3dda90d97d14d6c
SHA512

4814e9064e9ed6c4cdc6e514e7a7e73c227fe598904d654cadb98ef1acee51ba987d937547f80e0aeb1972cda86ae3f22addfaf83490a906ec1927f3980be786
SSDEEP

6144:59nNMa2B9x4UmQrrYfZUgWKZtFivagH8mlE:DNMaA9x4hdWqtAVHv

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral5/memory/1992-23-0x0000000000C10000-0x0000000000C3C000-memory.dmp	netwire
behavioral5/memory/2516-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral5/memory/2516-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral5/memory/2516-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral5/memory/2516-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral5/memory/2516-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral5/memory/2516-35-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral5/memory/2516-37-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral5/memory/2516-44-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Drops startup file 1 IoCs

Processes:

7.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jkzoKD.url 7.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

7.exe

description pid process target process

PID 1992 set thread context of 2516 1992 7.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7.exe

pid process

1992 7.exe
1992 7.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7.exe

description pid process

Token: SeDebugPrivilege 1992 7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jkzoKD.url	7.exe

description	pid	process	target process
PID 1992 set thread context of 2516	1992	7.exe	vbc.exe

pid	process
1992	7.exe
1992	7.exe

description	pid	process
Token: SeDebugPrivilege	1992	7.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

7.execsc.exe

description	pid	process	target process
PID 1992 wrote to memory of 2576	1992	7.exe	csc.exe
PID 1992 wrote to memory of 2576	1992	7.exe	csc.exe
PID 1992 wrote to memory of 2576	1992	7.exe	csc.exe
PID 1992 wrote to memory of 2576	1992	7.exe	csc.exe
PID 2576 wrote to memory of 2528	2576	csc.exe	cvtres.exe
PID 2576 wrote to memory of 2528	2576	csc.exe	cvtres.exe
PID 2576 wrote to memory of 2528	2576	csc.exe	cvtres.exe
PID 2576 wrote to memory of 2528	2576	csc.exe	cvtres.exe
PID 1992 wrote to memory of 2516	1992	7.exe	vbc.exe
PID 1992 wrote to memory of 2516	1992	7.exe	vbc.exe
PID 1992 wrote to memory of 2516	1992	7.exe	vbc.exe
PID 1992 wrote to memory of 2516	1992	7.exe	vbc.exe
PID 1992 wrote to memory of 2516	1992	7.exe	vbc.exe
PID 1992 wrote to memory of 2516	1992	7.exe	vbc.exe
PID 1992 wrote to memory of 2516	1992	7.exe	vbc.exe
PID 1992 wrote to memory of 2516	1992	7.exe	vbc.exe
PID 1992 wrote to memory of 2516	1992	7.exe	vbc.exe
PID 1992 wrote to memory of 2516	1992	7.exe	vbc.exe
PID 1992 wrote to memory of 2516	1992	7.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\52gkucsg\52gkucsg.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES18BE.tmp" "c:\Users\Admin\AppData\Local\Temp\52gkucsg\CSCBB15321ECD5845D3B236CBF8A6B1EDB1.TMP"
3⤵
PID:2528

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\52gkucsg\52gkucsg.dll
Filesize
11KB

MD5
717f8c2cc9d8d1364cc6bb8697140cb2

SHA1
ff9a4dc60a1a871166055787c133bf476710616e

SHA256
69f945d1c48f3efdd445a589763a74a991432b825ed3c0ba3b20b792b2f1fb5c

SHA512
755a75ab6b859d359a17fa3af493a719e7be45d0effd0a2b97fbefb793a3f4d71ff03b3643661c5e6126d23180c163fb22ec14f5deac575b169c04a489d284a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\52gkucsg\52gkucsg.pdb
Filesize
37KB

MD5
e371ad6ec840d3d425f0fda44863e788

SHA1
a8368a16e0b46c00bea0a9bb5f07a20394943ec5

SHA256
f35b3e41c4dd6410ec812bdaae9e6d92b4ec4019d1ba00adf0d6d05ed1964770

SHA512
bc6412e3e3df5097015fa7bc80c684d740b577d4e675d61624101e7aff956d3b9561d8886d2f3c9fa0991ec0bf7e74498618c9c52935ce90f755da57b4594a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES18BE.tmp
Filesize
1KB

MD5
e4a97755fb1443d685be893ee219e2a7

SHA1
7e1b0aafa90d6badcf249688f29e21db067302da

SHA256
aa9224c99cfdadbb3b3a45873584b293a944fe57f4a594a62499fa94d52a3ab2

SHA512
a28fd3cd63125c56f79a1d9fe03fa2749e52c0a90f171f3ebe4e1286e7181384bc6b8436518f06469acbce03d68f193ec9f79006e12c68cbca355dca9fc907c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\52gkucsg\52gkucsg.0.cs
Filesize
17KB

MD5
f14a0c054d74a07c20a32d5193fa41b0

SHA1
e17f3e9989e3a411e18d12a726f27f250f7f0e93

SHA256
f500836069863e071f17c809bf2459f7e1054e900c9ecc48bd0ffe5eaf8db01c

SHA512
e6c71c666ae48aa4244ffed024f58827448165381c171280f2622ba8fe3ef42ae7019065926ef3d9fd9590753cf81604da0bce950045b7f16b85445dd29fb5dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\52gkucsg\52gkucsg.cmdline
Filesize
312B

MD5
cb6d64705fb962732152aebfeffad288

SHA1
461c340ebf47b328155fc18fcec7cd7ed22a0cb9

SHA256
aa21bfe926e5fc5ee38a88ee05bc44777e1375cf0c43cd1f24c60a8bdfc71e4e

SHA512
fa91c0ab5f180a8e671f93e9af32985111229e8da9e7fd387f50d6e690a85efd161a74ed224137d87a48f67c821a52b2b5ccf9f734a1449135b1db19ff57038d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\52gkucsg\CSCBB15321ECD5845D3B236CBF8A6B1EDB1.TMP
Filesize
1KB

MD5
7affd93168d2047c49fd277a0a152034

SHA1
b2a9282bb5cf0acb83665565d7fc21bed68c454d

SHA256
f3bfcad886aaf54dd94cceb3b688c022dc3b601cf5b9f52d90620bd60add189e

SHA512
f22ec381440693afff0d6228f86ddf0b23193d6669bec464a41e9a4d01cdcaced030756c102adf8f11e27504eb1dc0b803a74925633caa590424e448c23e93b6

Download Submit
memory/1992-23-0x0000000000C10000-0x0000000000C3C000-memory.dmp

Filesize
176KB

Download
memory/1992-6-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-1-0x0000000000EC0000-0x0000000000EFC000-memory.dmp

Filesize
240KB

Download
memory/1992-17-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/1992-20-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/1992-19-0x0000000000BE0000-0x0000000000C12000-memory.dmp

Filesize
200KB

Download
memory/1992-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/1992-36-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2516-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-35-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-37-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2516-44-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download