netwire | b14ea2f152e1a5710ae3c34f8d98bf85e8d07bfe48a2e03b4987272b0d783855

General

Target

b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe
Size

268KB
MD5

b0756a14058ba24ffa31d03c5a15c2ee
SHA1

fa92daf4a6963160e131e543c8c2a51dd8efd84e
SHA256

b14ea2f152e1a5710ae3c34f8d98bf85e8d07bfe48a2e03b4987272b0d783855
SHA512

5591f61543b8751e3d5ffab83b6fcf7c61dc601a0c80332d05b30460aecbc7a22693d34f30e51ac8e6b67bd74cb7f0ac9459304a4bccd4e572be833374b1e415
SSDEEP

6144:XyBLkXVtU8FTskYpYr+ufYQxiaBXozlQuUCrST:XyBLkXHUwwfpJmYQcaBgvUNT

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

resource	yara_rule
behavioral2/memory/1524-23-0x00000000056A0000-0x00000000056CC000-memory.dmp	netwire
behavioral2/memory/3012-25-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3012-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3012-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/3012-31-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1524 set thread context of 3012	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe
1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 3876	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	85
PID 1524 wrote to memory of 3876	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	85
PID 1524 wrote to memory of 3876	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	85
PID 3876 wrote to memory of 716	3876	csc.exe	89
PID 3876 wrote to memory of 716	3876	csc.exe	89
PID 3876 wrote to memory of 716	3876	csc.exe	89
PID 1524 wrote to memory of 3012	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	90
PID 1524 wrote to memory of 3012	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	90
PID 1524 wrote to memory of 3012	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	90
PID 1524 wrote to memory of 3012	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	90
PID 1524 wrote to memory of 3012	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	90
PID 1524 wrote to memory of 3012	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	90
PID 1524 wrote to memory of 3012	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	90
PID 1524 wrote to memory of 3012	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	90
PID 1524 wrote to memory of 3012	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	90
PID 1524 wrote to memory of 3012	1524	b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0756a14058ba24ffa31d03c5a15c2ee_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ehwm5y4a\ehwm5y4a.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4258.tmp" "c:\Users\Admin\AppData\Local\Temp\ehwm5y4a\CSC98946811E96248A5A823C0B73E1C2CFF.TMP"
    3⤵
    PID:716
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4258.tmp

Filesize
1KB

MD5
fa2ed4637e71531eea67129302188241

SHA1
b96a06a4d8c407a85850e665b5e367d0e268d234

SHA256
35964cc253c658a9b591d2b1c3a9b1f8e46f0288271bc2f2cd770711f1701cc5

SHA512
c09c9c6bdb9cfe9afcf804fa5e080ac3909103b8b5f8bf846a1fbc424663de941fd51ef18852f69b2afe427453ab500c3906c6c5b3177ef597fcac098ea022ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehwm5y4a\ehwm5y4a.dll

Filesize
18KB

MD5
ff74d22eab228367e0ce6339c78d0def

SHA1
9bbe360390942ea4889a8bc8a11e910aef91f272

SHA256
b917e22e214fa28b82fde147c6572180bee65e529471e226fea9507217708803

SHA512
88fb7f3995a50da36dfb361843eba2c1b45ec9727d4d552b6ec7ebc51ffa867d39dee7950c82ba507e582e1645bd9e771d4099e1bf70177da9abe68f483f49f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehwm5y4a\ehwm5y4a.pdb

Filesize
59KB

MD5
5d8c86f65022758e08b6ea275252eb1d

SHA1
dc5e278ec77c3404ccadf594b5f2cb0237d6eacf

SHA256
924c0fb2d93114d979fc4dfca02234f1b30399928829dac32e70cdb86fd2cd6f

SHA512
1d82877c582193be00bf032434c0d7803ffb9af06546d12d7b15e066c984632b3060bc716649d8d86f8b2cf9eaa431b8370028596761daae65a9d779b015ba7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ehwm5y4a\CSC98946811E96248A5A823C0B73E1C2CFF.TMP

Filesize
1KB

MD5
513597ab7279ed4d7a2ab86e0cd11cce

SHA1
716598102c5b95caff3ba70012b5554dfb2cf2e0

SHA256
86a866ac9108b0ee61458769c273303576069cce215e61d1236c8a259f801d03

SHA512
09f166fbec86acc6307dfdd542adcf474619c54d36130155711ba166a69c67e218124eb76a2f93dad39c043973e9314e8b0ad121c0f09f900d91ced1cec9b804

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ehwm5y4a\ehwm5y4a.0.cs

Filesize
41KB

MD5
ec5624b94e764943d7754cc907580206

SHA1
0e4374acc86688486c4539c1972db7de5747f6a7

SHA256
ad4289e7c602558bac01b65ae5156f7459caa2819e902dde82e48e323035f0d8

SHA512
4ff2da150a128a9998675bce68bf0231cfb392b56bb47f62398a44b7e4978b186fbd99e64aa5cbbc73db5046dacafe0a8472ec6a6dd6763d3624f77f867cb540

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ehwm5y4a\ehwm5y4a.cmdline

Filesize
312B

MD5
b9094cbae413dac91cece9d5a565acce

SHA1
2082bf57895d8502d3bd2702c9dc461b89736bb7

SHA256
cb64522577c1cf7e4d238941daa248eefde58bfa3a41915209af8f437711fe19

SHA512
b7027aadb0ee5df50d22b16489233e0faa61ccdf211d16304946fd4a3ef33f032683960af7eca95b7e0ff692846df8090182cc91aefe2a9aab42e8f2d9fdf188

Download Submit
memory/1524-17-0x0000000002D60000-0x0000000002D6A000-memory.dmp

Filesize
40KB

Download
memory/1524-23-0x00000000056A0000-0x00000000056CC000-memory.dmp

Filesize
176KB

Download
memory/1524-1-0x0000000000A50000-0x0000000000A9A000-memory.dmp

Filesize
296KB

Download
memory/1524-19-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/1524-0-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/1524-20-0x0000000005670000-0x00000000056A2000-memory.dmp

Filesize
200KB

Download
memory/1524-21-0x00000000053F0000-0x00000000053FC000-memory.dmp

Filesize
48KB

Download
memory/1524-5-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1524-24-0x0000000005BE0000-0x0000000005C7C000-memory.dmp

Filesize
624KB

Download
memory/1524-30-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/3012-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3012-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3012-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3012-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing