netwire | 7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650

General

Target

d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe
Size

257KB
MD5

d699e0316ff32d7b7d551ad6abface4c
SHA1

789f7e7ada8f769ac4709a74cf16c2a086f595e9
SHA256

7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650
SHA512

e8d35c8acd950fcc3d81eb5a3b1047723d68b5de8906d825787ab87add3796abe700271fb666190732538e740b345c60a3a5fce8d0f79ac210abdcd536fc9fd1
SSDEEP

6144:5V6vBUSGrwSKVICKku8IF0j0KngiDyP5/x3:5VvSGrwSKqbF8IF08iuP/3

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/memory/3156-24-0x0000000005460000-0x000000000548C000-memory.dmp	netwire
behavioral2/memory/708-26-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/708-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/708-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/708-31-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/708-38-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVnkRn.url	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3156 set thread context of 708	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	89

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe
3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 1504	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	84
PID 3156 wrote to memory of 1504	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	84
PID 3156 wrote to memory of 1504	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	84
PID 1504 wrote to memory of 2436	1504	csc.exe	88
PID 1504 wrote to memory of 2436	1504	csc.exe	88
PID 1504 wrote to memory of 2436	1504	csc.exe	88
PID 3156 wrote to memory of 708	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	89
PID 3156 wrote to memory of 708	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	89
PID 3156 wrote to memory of 708	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	89
PID 3156 wrote to memory of 708	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	89
PID 3156 wrote to memory of 708	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	89
PID 3156 wrote to memory of 708	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	89
PID 3156 wrote to memory of 708	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	89
PID 3156 wrote to memory of 708	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	89
PID 3156 wrote to memory of 708	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	89
PID 3156 wrote to memory of 708	3156	d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8702.tmp" "c:\Users\Admin\AppData\Local\Temp\wtdvwpgm\CSC436D0B4487CD4416A574D5DEA2CE508.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8702.tmp

Filesize
1KB

MD5
fac0403a5765ecca79f2e12ad6decdcd

SHA1
e2e6c6a169898041cc660750406c846bff6d600d

SHA256
eff2c9ec7e78513e73446825e1fc9c02f84e75e02911b575274dc5380ab61d8a

SHA512
1c4db78d7ea4d3259078f3cb179c72ec70b8d72a5718e0e5d2f64259a80be370af10c0f002bc15fd78a4b2913a55d664dbcf898a221286f74a55b61afcac83ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.dll

Filesize
17KB

MD5
dbdd9916aa96ca0ad4e17debd86b5f79

SHA1
c5b441a65afa8b0ad2293253c30dca23dd1b803a

SHA256
66ee71ae21bb9405aecfd6c07954af4af599ea7f91087f34da24405539dceb1b

SHA512
5026b6faaf71a83f495be9f4ca6a3d42c4da36927b852e016ec760317e811ed6f74dbf9fdad90809986374be0ff16d1d13b144c9f049a268f996afe69a34b9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.pdb

Filesize
53KB

MD5
73a49a7618521b0a60b6bb95ef17a7ea

SHA1
edc395797476c61e98c65781633bfb5485f09076

SHA256
893f3e83aa95eb0776fa293446fc41ab1496a1221be4a17e1908ea2ab5b8ffc3

SHA512
c4381da83b3cc26e9dce270f62b277deea5805568e7fcaab35169e1ee029b3a87f8fa4586b5dc33a87374ddc61c223a9f6a875b75a67cfe8df9acbccaf73e545

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wtdvwpgm\CSC436D0B4487CD4416A574D5DEA2CE508.TMP

Filesize
1KB

MD5
c75e52af1e9dbbe5b5214e74d86e81ff

SHA1
8cbfa7491740703292aa74555e332af8e8d511aa

SHA256
323dda5f5e09dd206b0783aab1d98c2edf4f09dad51a5a80a32da1c4fc4ea219

SHA512
a4a6651bcabe6a60288649d7de75123e9e8a0e04ee71ce5d835cd98291b9d6880f641c24216a316a98ccf2ef68cacbb9096dbeda99505a2bb3d2d5b25803014b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.0.cs

Filesize
37KB

MD5
9fafd44315a524486b84e23bedaec8bf

SHA1
0d2820c6a0d71d57200dccafa2c6fb421269f2ec

SHA256
549faa466584fa74103c11227ef0b811cf96bda2d27b5c1c53fc2f053e96db74

SHA512
e5f2023c15f49f7758d11972e4edf00731956cf69b0b52df6a1bed00dbe756ce87b1a76af9c7dacd3abdae374da8452d6c9790f5e1ebee4ceee9c74e23778280

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.cmdline

Filesize
312B

MD5
8d7473375381ef41de8ac2a722845ece

SHA1
6d3602d8f7072e14e3575dbdaff87039289ea7cd

SHA256
d3964d7904e05c174531fe052a915e86d1ec64cf2f47c6f17747daab8318e3e7

SHA512
2e7e481358b868bb3b73aaaea5f1fc2e4164a2b545072e73488c06502d2c828737a95d8042df154c054fdedf2cc4c084eb83e8a2c324a4e17330d3eb25fffa6e

Download Submit
memory/708-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/708-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/708-38-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/708-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/708-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3156-19-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/3156-21-0x0000000005430000-0x000000000543C000-memory.dmp

Filesize
48KB

Download
memory/3156-24-0x0000000005460000-0x000000000548C000-memory.dmp

Filesize
176KB

Download
memory/3156-25-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/3156-0-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/3156-20-0x0000000005010000-0x0000000005042000-memory.dmp

Filesize
200KB

Download
memory/3156-5-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/3156-17-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

Filesize
40KB

Download
memory/3156-1-0x00000000005F0000-0x0000000000636000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing