netwire | d7e6506f8b90ca6bd1bd92356045a4356306bbaf79ca8d159ba35ab5dc0f3124

General

Target

b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe
Size

319KB
MD5

b78cf1a172ab553e54a45a3446f909c6
SHA1

ceb9d1aaf34673d5a21261d34bf5046d230f391e
SHA256

d7e6506f8b90ca6bd1bd92356045a4356306bbaf79ca8d159ba35ab5dc0f3124
SHA512

c255ab5e0433c9eb154e1b94faf47112654ece6850523e76fc210a47b370c94eaf8492657ab1b6671acce59ebd5d6d3a28f13112272c4ab32fa5796c77b85b91
SSDEEP

3072:8UX8jQbww5buUhrcZOrHDf4Q6vdtxwzgXiFFjKbqXiS8MsLhejnUJVGwRFd/onTq:WjWsUmZOrbwdtS8v2XiOgvGwRoe5N

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/memory/2676-23-0x0000000001000000-0x000000000102C000-memory.dmp	netwire
behavioral1/memory/2632-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2632-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2632-37-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2632-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2632-31-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2632-38-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2632-45-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mefCUp.url	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 2632	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe
2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2848	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	28
PID 2676 wrote to memory of 2848	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	28
PID 2676 wrote to memory of 2848	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	28
PID 2676 wrote to memory of 2848	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	28
PID 2848 wrote to memory of 2504	2848	csc.exe	30
PID 2848 wrote to memory of 2504	2848	csc.exe	30
PID 2848 wrote to memory of 2504	2848	csc.exe	30
PID 2848 wrote to memory of 2504	2848	csc.exe	30
PID 2676 wrote to memory of 2632	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2632	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2632	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2632	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2632	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2632	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2632	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2632	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2632	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2632	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2632	2676	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e2ypkeoq\e2ypkeoq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33FC.tmp" "c:\Users\Admin\AppData\Local\Temp\e2ypkeoq\CSC532AA446E80648E19A15D57AB54A422.TMP"
    3⤵
    PID:2504
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES33FC.tmp

Filesize
1KB

MD5
de584c9f7dc019c395e5f94807bf601d

SHA1
68c9fb4f2038d437189e3b1e563afdc4b7b8e92f

SHA256
ef0bc328d9c61bd0ea1a864ea579a12d9236c297ed1158a74b51ad0c377d862c

SHA512
e2df3505a8b7942ce2fa2851842063640fe3a4e2d848b52c95b8ebc005cfd4ef72ba10186f74f12ecfaf03b83609d4f9b22cfbf6fbee797b435f1016ef514fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2ypkeoq\e2ypkeoq.dll

Filesize
24KB

MD5
1649698f9b6d72ad6fbf0dd7f3a10bb1

SHA1
9905014d07591b9c1898a32f153a41133a61e113

SHA256
98406c6bdfc4b1a1969c28f181cc1fcbb23a9735b49e6013e0f3274ec03557c3

SHA512
d4e157f8f7c7597bd1ae79701d0425538a7a9cae6e9ccb55fe57991fe710b0d1f4de8051ee1137e0d9bc4a0827da694b3bf6684aa3cb5a5efd568e706765f62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2ypkeoq\e2ypkeoq.pdb

Filesize
81KB

MD5
ba94e2b4065c4548f44e0c6fe78ae26b

SHA1
17f6bfa6d0fb8daa8f5d5443cd9e1b37086caa36

SHA256
af478c7f0ef9980c73d96bc827deb1729de8480de6b294ee5d87e1aea950597e

SHA512
e2543b06d9416cd874f6f0ea7e6e52700ff384d0b566b9c81b853bc8b67aa3ff4244bd05b7068b1628e3451f332f45b21790ea85d72aff257f285d5f99e494c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e2ypkeoq\CSC532AA446E80648E19A15D57AB54A422.TMP

Filesize
1KB

MD5
b0bbf118230731b27f78d08c8ea325b7

SHA1
fe04638eb624fd26b92130379f3b1188e95154d0

SHA256
630834c2b8f00a793fcd2ea85b6d2bda0e9161929c02f2b7ff6017c39347f4df

SHA512
bed0dec12ff54b53aa8e671c450172a9f76f2c5b35c2fa8bfda716478e8207831998aad4ed071ec2df3a3bde4f2aa77feb853a5c999d7f1ad94ea008e4decf0a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e2ypkeoq\e2ypkeoq.0.cs

Filesize
62KB

MD5
c2c3f4facf8d95166dcabd1920193a61

SHA1
eb401a9b8bab0a4b1eb14ea2b552f163723a650a

SHA256
3f0df6cd7121821772951006b510cbd7e536f24caacdc69c37d4019a8aa3d46b

SHA512
a9876a89353837e84db8d5bc11b2bd4f17eccb51ca294971813a9f402091e9cf0f682215f2a0eb32a9bf97fd6fec1ef476d26c3c7b2a21429b52b62ac43d7316

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e2ypkeoq\e2ypkeoq.cmdline

Filesize
312B

MD5
0b73bbcf6bca059ff6eacaaedddafce7

SHA1
f0419c9b757a14c5bbd1b7627fd31c1ce0341f48

SHA256
9871783fe1c631f708f381e91e96475a1eb3ebae3d28e647636521e07804f593

SHA512
7e2f38c23b2f2bcd78a4f664425a4a58e3e89709cad85cda7607053a4e34fb93db9126a32b37e38de0bc44a3614c65d472c7c056d175a79bd2b394a7eee15082

Download Submit
memory/2632-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2632-38-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2632-45-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2632-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2632-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2632-37-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2632-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2632-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2632-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2632-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2676-23-0x0000000001000000-0x000000000102C000-memory.dmp

Filesize
176KB

Download
memory/2676-36-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-0-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/2676-20-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2676-19-0x0000000000E50000-0x0000000000E82000-memory.dmp

Filesize
200KB

Download
memory/2676-17-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2676-4-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-1-0x0000000001190000-0x00000000011E6000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing