netwire | 0cf39897608cc89af6871a62b4e77314d62b7b54c15b55197aeae5d29b0390a1

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe
Size

10.4MB
MD5

2fd03cf435ea19bd69da786c42951a62
SHA1

91d40f832fc305a206621e9965e6561ddecae0fd
SHA256

0cf39897608cc89af6871a62b4e77314d62b7b54c15b55197aeae5d29b0390a1
SHA512

fb776a56d5f8579c749340e214c629fdb058373c447c54b11ab8ba873125cfe0266177c50baa914bdf879997bab5867ee511d7a6e5891c55352068d024654419
SSDEEP

98304:hq7DJmgjPT8HnR+8NG9ioUsdDiE24fJ4qm7/iAXflijzJkiTUGI0ZYW:gmgrQHRxFQDiZ+4xXf6zUGI0K

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

reroutetraffic.io:4548

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
bprn2x
keylogger_dir
%AppData%\SanderApp\
lock_executable
false
offline_keylogger
true
password
iT5HZYc8pnFOlw3JAF8gfKBQcUZrrOyZ
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2528-6-0x00000000059C0000-0x00000000059FF000-memory.dmp	netwire
behavioral1/memory/2072-8-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2072-9-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2072-15-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\StartupOptimizer.job	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe
2528	notepad.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2528	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2988 wrote to memory of 2528	2988	2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32
PID 2528 wrote to memory of 2072	2528	notepad.exe	32

C:\Users\Admin\AppData\Local\Temp\2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fd03cf435ea19bd69da786c42951a62_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    - Drops file in Windows directory
    PID:2072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2072-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-10-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2072-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-1-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/2528-5-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/2528-6-0x00000000059C0000-0x00000000059FF000-memory.dmp

Filesize
252KB

Download
memory/2528-11-0x00000000059C0000-0x00000000059FF000-memory.dmp

Filesize
252KB

Download
memory/2988-0-0x00000000002F0000-0x00000000002FB000-memory.dmp

Filesize
44KB

Download
memory/2988-2-0x0000000000400000-0x0000000000E8C000-memory.dmp

Filesize
10.5MB

Download
memory/2988-4-0x00000000002F0000-0x00000000002FB000-memory.dmp

Filesize
44KB

Download