netwire | b14ea2f152e1a5710ae3c34f8d98bf85e8d07bfe48a2e03b4987272b0d783855

General

Target

b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe
Size

268KB
MD5

b0756a14058ba24ffa31d03c5a15c2ee
SHA1

fa92daf4a6963160e131e543c8c2a51dd8efd84e
SHA256

b14ea2f152e1a5710ae3c34f8d98bf85e8d07bfe48a2e03b4987272b0d783855
SHA512

5591f61543b8751e3d5ffab83b6fcf7c61dc601a0c80332d05b30460aecbc7a22693d34f30e51ac8e6b67bd74cb7f0ac9459304a4bccd4e572be833374b1e415
SSDEEP

6144:XyBLkXVtU8FTskYpYr+ufYQxiaBXozlQuUCrST:XyBLkXHUwwfpJmYQcaBgvUNT

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1756-22-0x00000000040E0000-0x000000000410C000-memory.dmp	netwire
behavioral1/memory/2600-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2600-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2600-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2600-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2600-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 2600	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1400	2600	WerFault.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe
1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1744	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	28
PID 1756 wrote to memory of 1744	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	28
PID 1756 wrote to memory of 1744	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	28
PID 1756 wrote to memory of 1744	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	28
PID 1744 wrote to memory of 3000	1744	csc.exe	30
PID 1744 wrote to memory of 3000	1744	csc.exe	30
PID 1744 wrote to memory of 3000	1744	csc.exe	30
PID 1744 wrote to memory of 3000	1744	csc.exe	30
PID 1756 wrote to memory of 2600	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2600	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2600	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2600	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2600	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2600	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2600	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2600	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2600	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2600	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2600	1756	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	31
PID 2600 wrote to memory of 1400	2600	vbc.exe	32
PID 2600 wrote to memory of 1400	2600	vbc.exe	32
PID 2600 wrote to memory of 1400	2600	vbc.exe	32
PID 2600 wrote to memory of 1400	2600	vbc.exe	32

C:\Users\Admin\AppData\Local\Temp\b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fzuxiavw\fzuxiavw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES273F.tmp" "c:\Users\Admin\AppData\Local\Temp\fzuxiavw\CSCEB8B9A48D984F95905018398D67AE45.TMP"
    3⤵
    PID:3000
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 140
    3⤵
    - Program crash
    PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES273F.tmp

Filesize
1KB

MD5
37671602174b17bb360be7cacc1397e1

SHA1
4eddae6465c8c08ac8ead170766e3f5fd41f0c53

SHA256
9b9522fbad3d6b4ca5c9c1fff8304974b54094001eb8149bae86f4a7017b3d74

SHA512
c2f043cc364e7cad4183a691916cebfee86ab70f6573f79a95050b17e933e17aebe512eb5ac824661632b3a7bf462a06d14c37f068715ababba56c4690d70bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzuxiavw\fzuxiavw.dll

Filesize
18KB

MD5
493855d6649f8f148055d53b5f82c5c4

SHA1
10014b249fad5e5bea7a596db861325b6a88a376

SHA256
c583e7d6d0e1811a40f7d9d16ab1e1033141a8efe7e75506e01901f907ff0597

SHA512
6d266e1c58e85a25871a6e76cb53ba51b7da7f8eaffd9566ebc24d23a33a361bdb1dfab2210fab2284f0e16b0b50f9cdeb6c1b6021c5fd0156d1187d45d58b36

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzuxiavw\fzuxiavw.pdb

Filesize
59KB

MD5
85fa905e91ebf5ef6b5ff3a76bd102f0

SHA1
ee68d8be0148c908370a9d938f960b315ca0f1e9

SHA256
2730a6a5fc9bbc88f112b080f7339c3d20ec2ea731d6c38cf3b72f4dd0a399d8

SHA512
b1406bcd8b249db8b0e51f4c31046cada8662e65cae2e1f6b147d7c90284c01cff05e17ee454c13c665486e6341a2ad8d1c360238c46004d30921683f3540c00

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fzuxiavw\CSCEB8B9A48D984F95905018398D67AE45.TMP

Filesize
1KB

MD5
a4c98335e9d0b7d5a43f1720bcc79bbe

SHA1
91b2788e53f8b9b4a638f5b7560eeb429d7ec062

SHA256
bd671d13facd772eb6c476b61035e431a5684881a50fc7921d4e6e4abce7e5d3

SHA512
28835bde11453eb388e78ce2fca225a7af4177ce7f6e317bd7699c8a795d948f9a81fe05f8c2d3568084aca3a36514b594e2b7e825999716a35ee88be8e2787f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fzuxiavw\fzuxiavw.0.cs

Filesize
41KB

MD5
ec5624b94e764943d7754cc907580206

SHA1
0e4374acc86688486c4539c1972db7de5747f6a7

SHA256
ad4289e7c602558bac01b65ae5156f7459caa2819e902dde82e48e323035f0d8

SHA512
4ff2da150a128a9998675bce68bf0231cfb392b56bb47f62398a44b7e4978b186fbd99e64aa5cbbc73db5046dacafe0a8472ec6a6dd6763d3624f77f867cb540

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fzuxiavw\fzuxiavw.cmdline

Filesize
312B

MD5
b3b3297529b85130fd6d9b671c8f8f17

SHA1
8ab70d210c5d9f76740ada5549fba4404feb5d6a

SHA256
d49b75368d0020df6840ba5810bb293136caa49c7982599a9b0276037054d2d4

SHA512
48f3e245552c9883d79c1f6b21f5778f26bb667dc4673c1b5f4903d05674ea2a1971a5ff26cc0dcdd3ecae7c203d6d038e2873df0c2b83eae1b892ba9fc66552

Download Submit
memory/1756-19-0x0000000004050000-0x0000000004082000-memory.dmp

Filesize
200KB

Download
memory/1756-5-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1756-1-0x0000000000180000-0x00000000001CA000-memory.dmp

Filesize
296KB

Download
memory/1756-17-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/1756-0-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/1756-22-0x00000000040E0000-0x000000000410C000-memory.dmp

Filesize
176KB

Download
memory/1756-20-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1756-35-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing