netwire | e5e08a97973474e281d2f869760812bf31e80554a7bfaa28a35547e7b484fef6

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7.exe
Size

216KB
MD5

2a02f52b64bb0b2ffce4fb81b4517c7c
SHA1

b3a46bb392a8b40c12ac046dfdc3572132155aab
SHA256

c5b7e21f19493fed30675f86df39c69fbc3a8a4617d1d85ac3dda90d97d14d6c
SHA512

4814e9064e9ed6c4cdc6e514e7a7e73c227fe598904d654cadb98ef1acee51ba987d937547f80e0aeb1972cda86ae3f22addfaf83490a906ec1927f3980be786
SSDEEP

6144:59nNMa2B9x4UmQrrYfZUgWKZtFivagH8mlE:DNMaA9x4hdWqtAVHv

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral6/memory/628-24-0x0000000005550000-0x000000000557C000-memory.dmp	netwire
behavioral6/memory/4536-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral6/memory/4536-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral6/memory/4536-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral6/memory/4536-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Drops startup file 1 IoCs

Processes:

7.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jkzoKD.url 7.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

7.exe

description pid process target process

PID 628 set thread context of 4536 628 7.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7.exe

pid process

628 7.exe
628 7.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7.exe

description pid process

Token: SeDebugPrivilege 628 7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jkzoKD.url	7.exe

description	pid	process	target process
PID 628 set thread context of 4536	628	7.exe	vbc.exe

pid	process
628	7.exe
628	7.exe

description	pid	process
Token: SeDebugPrivilege	628	7.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

7.execsc.exe

description	pid	process	target process
PID 628 wrote to memory of 1164	628	7.exe	csc.exe
PID 628 wrote to memory of 1164	628	7.exe	csc.exe
PID 628 wrote to memory of 1164	628	7.exe	csc.exe
PID 1164 wrote to memory of 3644	1164	csc.exe	cvtres.exe
PID 1164 wrote to memory of 3644	1164	csc.exe	cvtres.exe
PID 1164 wrote to memory of 3644	1164	csc.exe	cvtres.exe
PID 628 wrote to memory of 4536	628	7.exe	vbc.exe
PID 628 wrote to memory of 4536	628	7.exe	vbc.exe
PID 628 wrote to memory of 4536	628	7.exe	vbc.exe
PID 628 wrote to memory of 4536	628	7.exe	vbc.exe
PID 628 wrote to memory of 4536	628	7.exe	vbc.exe
PID 628 wrote to memory of 4536	628	7.exe	vbc.exe
PID 628 wrote to memory of 4536	628	7.exe	vbc.exe
PID 628 wrote to memory of 4536	628	7.exe	vbc.exe
PID 628 wrote to memory of 4536	628	7.exe	vbc.exe
PID 628 wrote to memory of 4536	628	7.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\amx3t4p3\amx3t4p3.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2EFF.tmp" "c:\Users\Admin\AppData\Local\Temp\amx3t4p3\CSCCE21F8CD24FE4B30A677AE265CE7C11.TMP"
3⤵
PID:3644

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2EFF.tmp
Filesize
1KB

MD5
feea693f8f05d72ebfbc925a74183cc8

SHA1
487ba3f93329a91ef23ae9c62ac777ce08f1f691

SHA256
39953b9a754c7c9b2dda2de98ee6fc9c911c778b648e176b978ff3455960b2ab

SHA512
b865fe8eb05cc747450baa41c1e388d3d73a7db8e9c8fd846af74b444ec69f1464893f55f480d0aa257a13ead5ab685a87a6d6e8b140d278489ba9f5e5e56ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\amx3t4p3\amx3t4p3.dll
Filesize
11KB

MD5
b4a9cc1040f527a7a14d72965461a14f

SHA1
7408cbc28c738d9844c7ed56d035435454489365

SHA256
175b4bad3a0921b6855d8f7384f9dbdbcab079b22f4db273c5dac37481f35c3f

SHA512
b7b369d994cacdbbccfed87905ef561fbd1323c12d9baaa0fc73e79881d0e739fb61a5e1c2419d6584565c215a21912801193a71b2192892a0d785f219a8de56

Download Submit
C:\Users\Admin\AppData\Local\Temp\amx3t4p3\amx3t4p3.pdb
Filesize
37KB

MD5
107c255228dfd2b8d17e1bfec02c9f0c

SHA1
03377236805c2e4b5cee5a71f454a26be709071b

SHA256
b5e2bbcd94f866802e55e7780c0d596db69f503a35b787d3d3809e4ec171af33

SHA512
91ecc1259222c0936b8a6889b81c80f97f23e4d9b614cf49ff281e63b05a1a235ecba7eb2c0b0f9d1af615bac5b7464a34a24646a1370b954e0407e68c321553

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\amx3t4p3\CSCCE21F8CD24FE4B30A677AE265CE7C11.TMP
Filesize
1KB

MD5
0727ee6ecaffcc501aba946646824483

SHA1
178d553e2e7743a1160d42a0b6de7d8ef8dbaead

SHA256
04ea504d1414628eafc70a186c726aa5e4f9bccd588436bcf5f877223512ca0e

SHA512
d7a46721472994b0c7ca887a6ef90d6b3ece52ed72aac6273a6de6936a6529637da28ce340361788e6b92440cb77e1207cb439c34d2b45023c361d2bde2d2c9e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\amx3t4p3\amx3t4p3.0.cs
Filesize
17KB

MD5
f14a0c054d74a07c20a32d5193fa41b0

SHA1
e17f3e9989e3a411e18d12a726f27f250f7f0e93

SHA256
f500836069863e071f17c809bf2459f7e1054e900c9ecc48bd0ffe5eaf8db01c

SHA512
e6c71c666ae48aa4244ffed024f58827448165381c171280f2622ba8fe3ef42ae7019065926ef3d9fd9590753cf81604da0bce950045b7f16b85445dd29fb5dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\amx3t4p3\amx3t4p3.cmdline
Filesize
312B

MD5
608d3f01306dee8472f85554288c634e

SHA1
151c5ef9f70729f8928b154c783539ecbf275052

SHA256
69911ebeac6f42cc322aab219ff82eb401ab69055cee0e36e73a5be77af82043

SHA512
3640a6eb2d91fd70d580d75f1f10cf4d8a31c87c63aa33285809fd3800eed5af2992a9bab51a7abc1cf03d673fbfb1baabe9f036a197c6a3992ba2b431883969

Download Submit
memory/628-19-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/628-24-0x0000000005550000-0x000000000557C000-memory.dmp

Filesize
176KB

Download
memory/628-1-0x00000000008F0000-0x000000000092C000-memory.dmp

Filesize
240KB

Download
memory/628-17-0x0000000002BF0000-0x0000000002BFA000-memory.dmp

Filesize
40KB

Download
memory/628-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/628-20-0x00000000053F0000-0x0000000005422000-memory.dmp

Filesize
200KB

Download
memory/628-21-0x0000000002C60000-0x0000000002C6C000-memory.dmp

Filesize
48KB

Download
memory/628-5-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/628-25-0x0000000005940000-0x00000000059DC000-memory.dmp

Filesize
624KB

Download
memory/628-31-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/4536-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4536-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4536-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4536-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download