netwire | 7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8

Analysis

max time kernel
148s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe
Size

1.4MB
MD5

8fae8304e088d4004d32c1d42eba93e9
SHA1

7e7461ffe4b08fc40294b08a16c810fdf3ef8f1d
SHA256

7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8
SHA512

aa268ae3929c2d56b4b81cac6f6e728bcdcf0e35be437c34cf781f5b2ac1071d2055575e17ea69e7fa04a7e3a0768897c6f1cd15f32a6e95aecba527dde88f8e
SSDEEP

24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYk:Fo0c++OCokGs9Fa+rd1f26RNYk

Score

10^/10

netwire warzonerat botnet infostealer rat stealer

Malware Config

Extracted

Family

netwire

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

wealth.warzonedns.com:5202

Signatures

NetWire RAT payload 10 IoCs

rat

resource	yara_rule
behavioral1/memory/1300-0-0x00000000001F0000-0x000000000035B000-memory.dmp	netwire
behavioral1/files/0x000b000000014aec-5.dat	netwire
behavioral1/memory/1724-24-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1300-41-0x00000000001F0000-0x000000000035B000-memory.dmp	netwire
behavioral1/memory/944-47-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/944-50-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/files/0x00070000000155e2-51.dat	netwire
behavioral1/memory/1380-81-0x00000000001F0000-0x000000000035B000-memory.dmp	netwire
behavioral1/memory/1104-89-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/files/0x000b000000014aec-103.dat	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2936-39-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2936-29-0x0000000000400000-0x000000000041D000-memory.dmp	warzonerat
behavioral1/memory/2336-80-0x0000000000080000-0x000000000009D000-memory.dmp	warzonerat
behavioral1/memory/2336-71-0x0000000000080000-0x000000000009D000-memory.dmp	warzonerat

Executes dropped EXE 8 IoCs

pid	Process
1724	Blasthost.exe
944	Host.exe
1380	RtDCpl64.exe
1104	Blasthost.exe
2336	RtDCpl64.exe
720	RtDCpl64.exe
880	Blasthost.exe
856	RtDCpl64.exe

Loads dropped DLL 13 IoCs

pid	Process
1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe
1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe
1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe
1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe
1724	Blasthost.exe
1724	Blasthost.exe
1380	RtDCpl64.exe
1380	RtDCpl64.exe
1380	RtDCpl64.exe
1380	RtDCpl64.exe
720	RtDCpl64.exe
720	RtDCpl64.exe
720	RtDCpl64.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1300-0-0x00000000001F0000-0x000000000035B000-memory.dmp	autoit_exe
behavioral1/memory/1300-41-0x00000000001F0000-0x000000000035B000-memory.dmp	autoit_exe
behavioral1/files/0x00070000000155e2-51.dat	autoit_exe
behavioral1/memory/1380-81-0x00000000001F0000-0x000000000035B000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 2936	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	30
PID 1380 set thread context of 2336	1380	RtDCpl64.exe	40
PID 720 set thread context of 856	720	RtDCpl64.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2600	schtasks.exe
2036	schtasks.exe
992	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1724	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	28
PID 1300 wrote to memory of 1724	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	28
PID 1300 wrote to memory of 1724	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	28
PID 1300 wrote to memory of 1724	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	28
PID 1724 wrote to memory of 944	1724	Blasthost.exe	29
PID 1724 wrote to memory of 944	1724	Blasthost.exe	29
PID 1724 wrote to memory of 944	1724	Blasthost.exe	29
PID 1724 wrote to memory of 944	1724	Blasthost.exe	29
PID 1300 wrote to memory of 2936	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	30
PID 1300 wrote to memory of 2936	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	30
PID 1300 wrote to memory of 2936	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	30
PID 1300 wrote to memory of 2936	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	30
PID 1300 wrote to memory of 2936	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	30
PID 1300 wrote to memory of 2936	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	30
PID 2936 wrote to memory of 2516	2936	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	31
PID 2936 wrote to memory of 2516	2936	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	31
PID 2936 wrote to memory of 2516	2936	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	31
PID 2936 wrote to memory of 2516	2936	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	31
PID 1300 wrote to memory of 2600	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	33
PID 1300 wrote to memory of 2600	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	33
PID 1300 wrote to memory of 2600	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	33
PID 1300 wrote to memory of 2600	1300	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	33
PID 2936 wrote to memory of 2516	2936	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	31
PID 2936 wrote to memory of 2516	2936	7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe	31
PID 620 wrote to memory of 1380	620	taskeng.exe	38
PID 620 wrote to memory of 1380	620	taskeng.exe	38
PID 620 wrote to memory of 1380	620	taskeng.exe	38
PID 620 wrote to memory of 1380	620	taskeng.exe	38
PID 1380 wrote to memory of 1104	1380	RtDCpl64.exe	39
PID 1380 wrote to memory of 1104	1380	RtDCpl64.exe	39
PID 1380 wrote to memory of 1104	1380	RtDCpl64.exe	39
PID 1380 wrote to memory of 1104	1380	RtDCpl64.exe	39
PID 1380 wrote to memory of 2336	1380	RtDCpl64.exe	40
PID 1380 wrote to memory of 2336	1380	RtDCpl64.exe	40
PID 1380 wrote to memory of 2336	1380	RtDCpl64.exe	40
PID 1380 wrote to memory of 2336	1380	RtDCpl64.exe	40
PID 1380 wrote to memory of 2336	1380	RtDCpl64.exe	40
PID 1380 wrote to memory of 2336	1380	RtDCpl64.exe	40
PID 2336 wrote to memory of 2676	2336	RtDCpl64.exe	41
PID 2336 wrote to memory of 2676	2336	RtDCpl64.exe	41
PID 2336 wrote to memory of 2676	2336	RtDCpl64.exe	41
PID 2336 wrote to memory of 2676	2336	RtDCpl64.exe	41
PID 1380 wrote to memory of 2036	1380	RtDCpl64.exe	43
PID 1380 wrote to memory of 2036	1380	RtDCpl64.exe	43
PID 1380 wrote to memory of 2036	1380	RtDCpl64.exe	43
PID 1380 wrote to memory of 2036	1380	RtDCpl64.exe	43
PID 2336 wrote to memory of 2676	2336	RtDCpl64.exe	41
PID 2336 wrote to memory of 2676	2336	RtDCpl64.exe	41
PID 620 wrote to memory of 720	620	taskeng.exe	45
PID 620 wrote to memory of 720	620	taskeng.exe	45
PID 620 wrote to memory of 720	620	taskeng.exe	45
PID 620 wrote to memory of 720	620	taskeng.exe	45
PID 720 wrote to memory of 880	720	RtDCpl64.exe	46
PID 720 wrote to memory of 880	720	RtDCpl64.exe	46
PID 720 wrote to memory of 880	720	RtDCpl64.exe	46
PID 720 wrote to memory of 880	720	RtDCpl64.exe	46
PID 720 wrote to memory of 856	720	RtDCpl64.exe	47
PID 720 wrote to memory of 856	720	RtDCpl64.exe	47
PID 720 wrote to memory of 856	720	RtDCpl64.exe	47
PID 720 wrote to memory of 856	720	RtDCpl64.exe	47
PID 720 wrote to memory of 856	720	RtDCpl64.exe	47
PID 720 wrote to memory of 856	720	RtDCpl64.exe	47
PID 856 wrote to memory of 2108	856	RtDCpl64.exe	48
PID 856 wrote to memory of 2108	856	RtDCpl64.exe	48

C:\Users\Admin\AppData\Local\Temp\7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe
"C:\Users\Admin\AppData\Local\Temp\7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Roaming\Blasthost.exe
  "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
    "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
    3⤵
    - Executes dropped EXE
    PID:944
- C:\Users\Admin\AppData\Local\Temp\7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe
  "C:\Users\Admin\AppData\Local\Temp\7b157968c9b39cd4f7142319875abd5fa41c47a102efee89f04e0994ab1236b8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:2516
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2600

C:\Windows\system32\taskeng.exe
taskeng.exe {A3E14A1E-35C8-4F5A-9071-F7EA42BF3984} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Roaming\Blasthost.exe
    "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
    3⤵
    - Executes dropped EXE
    PID:1104
- - C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2676
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2036
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Users\Admin\AppData\Roaming\Blasthost.exe
    "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
    3⤵
    - Executes dropped EXE
    PID:880
- - C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2108
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
128KB

MD5
9334eeca7a29b6c1743a471c02b0c7b1

SHA1
96cb5e6fd8958810837e4eb2270f5cfe26e12eb6

SHA256
6a4456574b80eaded997dd37f639e21dd011d8b42bc911a67c9f09828fffcece

SHA512
ac4ad2e2da3d52e1db1308b2fb4f8ab8e9d1fe991e59433d43f5e5da1625e91e3d972b006957913449651aee81491bbb8502684f085e1b75c836c31a63527a1a

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
128KB

MD5
74b60f3f19ba6e4c9e2289966ef5313a

SHA1
a653d302aabc0bad6ac54c566e1da75df486a5f8

SHA256
7e4474acbae35ee0177935fa76bb233c2d9ebc71c45b85950e70e606d8b8e0cd

SHA512
c8fb03970bccbc3f3b4b0d88e7cfc0969419a548729fe93f2fb4061a5d97698743b29b599c4baccc353eaa3c290efcbbb8601f76c5b42b98484a1c5947aafc81

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.4MB

MD5
132627490df1a0dcf13fd8cacf99b811

SHA1
c2054439f608fc0a7f1cbdf4c38240f485333bee

SHA256
951efba96db22dde61eca32b2c8112eab4e4c1d294e3ef948072a91a9c140650

SHA512
9a5edc66282ba45a8dd192bdae52b5621e1c2e5982f560d2564c52393b9ddd898e2c3a4206a7f8481531f58d72f259fde9161351d7c94b15225eb60941b7ecff

Download Submit
C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
448KB

MD5
a152d8b6dcf40c5326797312d0ad6f25

SHA1
380567b1a90bf3171b4f305127b4f41f2d4218ba

SHA256
9c25156de862fba07bceac17c5482de1226d2ca0d9ac5745e55e0a4ab106b578

SHA512
53842d1babbbe99cc3f036d9101fcf8f11e61a9910860abe2cc098859e5956ae5e95588130c4ad310ad80281f9fd6656a887f34590f1d781031f2d71e0c613e2

Download Submit
\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
memory/720-116-0x00000000001F0000-0x000000000035B000-memory.dmp

Filesize
1.4MB

Download
memory/944-47-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/944-50-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1104-89-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1300-41-0x00000000001F0000-0x000000000035B000-memory.dmp

Filesize
1.4MB

Download
memory/1300-26-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1300-0-0x00000000001F0000-0x000000000035B000-memory.dmp

Filesize
1.4MB

Download
memory/1380-81-0x00000000001F0000-0x000000000035B000-memory.dmp

Filesize
1.4MB

Download
memory/1724-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2108-119-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2336-80-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/2336-71-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/2516-44-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2516-42-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2676-84-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2936-27-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2936-29-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2936-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-39-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads