netwire | d7e6506f8b90ca6bd1bd92356045a4356306bbaf79ca8d159ba35ab5dc0f3124

General

Target

b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe
Size

319KB
MD5

b78cf1a172ab553e54a45a3446f909c6
SHA1

ceb9d1aaf34673d5a21261d34bf5046d230f391e
SHA256

d7e6506f8b90ca6bd1bd92356045a4356306bbaf79ca8d159ba35ab5dc0f3124
SHA512

c255ab5e0433c9eb154e1b94faf47112654ece6850523e76fc210a47b370c94eaf8492657ab1b6671acce59ebd5d6d3a28f13112272c4ab32fa5796c77b85b91
SSDEEP

3072:8UX8jQbww5buUhrcZOrHDf4Q6vdtxwzgXiFFjKbqXiS8MsLhejnUJVGwRFd/onTq:WjWsUmZOrbwdtS8v2XiOgvGwRoe5N

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/memory/3336-24-0x0000000005E60000-0x0000000005E8C000-memory.dmp	netwire
behavioral2/memory/4280-26-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4280-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4280-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4280-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4280-39-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mefCUp.url	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3336 set thread context of 4280	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe
3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 4724	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	82
PID 3336 wrote to memory of 4724	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	82
PID 3336 wrote to memory of 4724	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	82
PID 4724 wrote to memory of 3912	4724	csc.exe	86
PID 4724 wrote to memory of 3912	4724	csc.exe	86
PID 4724 wrote to memory of 3912	4724	csc.exe	86
PID 3336 wrote to memory of 4280	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	87
PID 3336 wrote to memory of 4280	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	87
PID 3336 wrote to memory of 4280	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	87
PID 3336 wrote to memory of 4280	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	87
PID 3336 wrote to memory of 4280	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	87
PID 3336 wrote to memory of 4280	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	87
PID 3336 wrote to memory of 4280	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	87
PID 3336 wrote to memory of 4280	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	87
PID 3336 wrote to memory of 4280	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	87
PID 3336 wrote to memory of 4280	3336	b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b78cf1a172ab553e54a45a3446f909c6_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m2kb233x\m2kb233x.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES398E.tmp" "c:\Users\Admin\AppData\Local\Temp\m2kb233x\CSCF334C86B9491442BAD2C625C303ABBB3.TMP"
    3⤵
    PID:3912
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES398E.tmp

Filesize
1KB

MD5
d4dee3cbf3a13a95d5f004f0d8316370

SHA1
52375249a47a368dba72f98002924a9e5496bf85

SHA256
584b4a939e37e5da02ca82d1afbf6e8fe13555b457fbe39feabf5773276f45fb

SHA512
07b6ba2a8cabd464e42f07943e61e66e9ad1a8d7a22bc78212b7c691561f4b15558d293a663b13404c343da93209f63a82db371b45380e12f35d5ffd9cea55de

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2kb233x\m2kb233x.dll

Filesize
24KB

MD5
3d34c798f5ca3ef19fe541fc65a4934d

SHA1
493faae686b202079f3969889865fe119a8efc88

SHA256
9532db1d8076edc20d5a70cb7abd974cfa405ae383f1ead03b911664eb3af9f2

SHA512
96162cfd09d5711c9e406478cab8631e5a854a93cbf35215ac1a1495d7658e904b75c4278f8089c905a92777840840d5d7cb59640c851e88a392eac826829b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2kb233x\m2kb233x.pdb

Filesize
81KB

MD5
a535752bbffb99f5ece73e3563398dfe

SHA1
d11ea7819da042158ab96fa134a58c94c9fe9102

SHA256
8b1ca21bd83019040de47bdb44cb28947bedeeba8eb1e71b6d16c399713d75ef

SHA512
9bcdffae38327337c32b10021e586721515fd56162d7e9719a2660779bdc9e178fa39aec2eac5e8cfbe421165e581f609be330fbd7a09497f20abb6015b4a02f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m2kb233x\CSCF334C86B9491442BAD2C625C303ABBB3.TMP

Filesize
1KB

MD5
28dd31495b6827625389ccf59bd9832c

SHA1
d3d14a9e79e7a13a47b5fedb150c92f23832e8f8

SHA256
7c690d6066fcabdfe49995aeea9068ab64ece27befe25818ac88dc310045bd62

SHA512
afb88651d3c104c746b04dc00724ac35df198684beb6111990c6d0810ee70d60a51c0bd8b3bd310d214b733456bb38b1100e3e6ef9d62ae4414286b9c03e0530

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m2kb233x\m2kb233x.0.cs

Filesize
62KB

MD5
c2c3f4facf8d95166dcabd1920193a61

SHA1
eb401a9b8bab0a4b1eb14ea2b552f163723a650a

SHA256
3f0df6cd7121821772951006b510cbd7e536f24caacdc69c37d4019a8aa3d46b

SHA512
a9876a89353837e84db8d5bc11b2bd4f17eccb51ca294971813a9f402091e9cf0f682215f2a0eb32a9bf97fd6fec1ef476d26c3c7b2a21429b52b62ac43d7316

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\m2kb233x\m2kb233x.cmdline

Filesize
312B

MD5
24a15abfe1f32a4dd84fbe73c8383353

SHA1
169234c9640857bb9c4045c0b3a353662fbbf5f8

SHA256
c4c8eba446a7f939a5cd2ca6ab353d0056308d0f8ce8b764efa849afa805746a

SHA512
17ab0766c8270e8953b01028210034f702a499142280ac08cfde34f054b7406fc7f1cfbda6e468208f46af220b413f34c7cdd6845ca3dec2a9ec97f17af4de7d

Download Submit
memory/3336-19-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/3336-24-0x0000000005E60000-0x0000000005E8C000-memory.dmp

Filesize
176KB

Download
memory/3336-1-0x0000000000EC0000-0x0000000000F16000-memory.dmp

Filesize
344KB

Download
memory/3336-17-0x0000000003270000-0x000000000327C000-memory.dmp

Filesize
48KB

Download
memory/3336-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

Filesize
4KB

Download
memory/3336-20-0x0000000005D30000-0x0000000005D62000-memory.dmp

Filesize
200KB

Download
memory/3336-21-0x0000000005890000-0x000000000589C000-memory.dmp

Filesize
48KB

Download
memory/3336-5-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/3336-25-0x00000000060E0000-0x000000000617C000-memory.dmp

Filesize
624KB

Download
memory/3336-31-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/4280-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4280-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4280-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4280-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4280-39-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing