netwire | 7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650

General

Target

d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe
Size

257KB
MD5

d699e0316ff32d7b7d551ad6abface4c
SHA1

789f7e7ada8f769ac4709a74cf16c2a086f595e9
SHA256

7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650
SHA512

e8d35c8acd950fcc3d81eb5a3b1047723d68b5de8906d825787ab87add3796abe700271fb666190732538e740b345c60a3a5fce8d0f79ac210abdcd536fc9fd1
SSDEEP

6144:5V6vBUSGrwSKVICKku8IF0j0KngiDyP5/x3:5VvSGrwSKqbF8IF08iuP/3

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/memory/2720-23-0x0000000000890000-0x00000000008BC000-memory.dmp	netwire
behavioral1/memory/2608-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2608-38-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2608-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2608-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2608-40-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2608-42-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2608-49-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVnkRn.url	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 2608	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	34

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe
2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2784	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2784	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2784	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	31
PID 2720 wrote to memory of 2784	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	31
PID 2784 wrote to memory of 1792	2784	csc.exe	33
PID 2784 wrote to memory of 1792	2784	csc.exe	33
PID 2784 wrote to memory of 1792	2784	csc.exe	33
PID 2784 wrote to memory of 1792	2784	csc.exe	33
PID 2720 wrote to memory of 2608	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	34
PID 2720 wrote to memory of 2608	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	34
PID 2720 wrote to memory of 2608	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	34
PID 2720 wrote to memory of 2608	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	34
PID 2720 wrote to memory of 2608	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	34
PID 2720 wrote to memory of 2608	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	34
PID 2720 wrote to memory of 2608	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	34
PID 2720 wrote to memory of 2608	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	34
PID 2720 wrote to memory of 2608	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	34
PID 2720 wrote to memory of 2608	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	34
PID 2720 wrote to memory of 2608	2720	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4F9.tmp" "c:\Users\Admin\AppData\Local\Temp\ylvjgbrd\CSCC482708DAAAF4C1D87EA3686476BF663.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1792
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF4F9.tmp

Filesize
1KB

MD5
71eb1c8a86fdbf92445016924cbac14c

SHA1
bff575815e17c5424e6639fbd2806f8fe6471a3d

SHA256
a528948ea0e1ae10f8361dec9606d6448272b289d9058815c2fc9c3616d80cc4

SHA512
7454161d925305e5aaa949fd15bc4361237d35450f15f6b0ab8b6adfd344ca3e03c88fcb552b370040acfb61717cf3c1b76957a69f1ebd9f00084c72df9a898c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.dll

Filesize
17KB

MD5
9054d80aa07f7a998564cd332bf788bf

SHA1
e5c4ab117eac903a531f28f4a2a8bf274f99a22c

SHA256
75c28e0242f3000015372de26bc6f56048ca41fe2f1cfb4b2c3bc1c0f5537f6c

SHA512
768d6e24aada4c4bb50add342ecebc1373a3f9281f34396c244dee9291976865fad16dd41cf4f06a32b3f77783287d8470d6cff5ab0145e18af31ecf08e89027

Download Submit
C:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.pdb

Filesize
53KB

MD5
ee37d19534cb08c17cb0b17588ab92ef

SHA1
be219a1e7fd49d14460f11141f9eba139afa5dae

SHA256
46ea0446d09b0bb2fe54854c5737c8b99c03e3f0d34c71a0127e00a2b07c9956

SHA512
6741517ab0c400cb6e4fa87545eaf848b2fb455f4243953667a16e820d59e9a9ea7403daf2773898c8c71f58cbd62524a0d4d179532d22cef5bbeecb04dfd556

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylvjgbrd\CSCC482708DAAAF4C1D87EA3686476BF663.TMP

Filesize
1KB

MD5
d6007bac205a9a3a6dc6eb5f35877526

SHA1
ddc2f0053823449ac3b3891f3c9b0bc22a83073f

SHA256
751f4c51152069035c25846dab26a9e5ebee49ae3ca43543c40fed544f98915f

SHA512
e2833447f9ebd8c80bc020b853565ed015af60558828969cd7769e89be55660e67173703118b717c732a14157b95b2312107621d24c1e33aece24fad71785b06

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.0.cs

Filesize
37KB

MD5
9fafd44315a524486b84e23bedaec8bf

SHA1
0d2820c6a0d71d57200dccafa2c6fb421269f2ec

SHA256
549faa466584fa74103c11227ef0b811cf96bda2d27b5c1c53fc2f053e96db74

SHA512
e5f2023c15f49f7758d11972e4edf00731956cf69b0b52df6a1bed00dbe756ce87b1a76af9c7dacd3abdae374da8452d6c9790f5e1ebee4ceee9c74e23778280

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.cmdline

Filesize
312B

MD5
11177b781f03b0761859c41b315b64b6

SHA1
f5335dfdce53da77c4912bd3c35895ee6045a82e

SHA256
44f7263d9e2f1d6ddaebb7bf1467e8e45679a1ba426e995497b0fbdd738098d8

SHA512
d64cd151bbb32a830e3230e2540969008b277555c24c09e0a49d459148809eca03369bc1465b8314b9568c5055d9dd5e14b6b4b8084733f5ece9df5b053f3377

Download Submit
memory/2608-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-49-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-42-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-40-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-38-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2608-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2720-23-0x0000000000890000-0x00000000008BC000-memory.dmp

Filesize
176KB

Download
memory/2720-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/2720-5-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-20-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2720-19-0x0000000000860000-0x0000000000892000-memory.dmp

Filesize
200KB

Download
memory/2720-41-0x00000000749C0000-0x00000000750AE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-17-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/2720-1-0x0000000000E70000-0x0000000000EB6000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing