netwire | 09a4637db3d0b1cbf3114013c150d89ba01a827f534be57bcc4aaf8d9a18eba6

General

Target

e47938995903c2792020e366716b4c38_JaffaCakes118.exe
Size

167KB
MD5

e47938995903c2792020e366716b4c38
SHA1

5418d60c95e010dc50cee453eaef400f9cc1dfbd
SHA256

09a4637db3d0b1cbf3114013c150d89ba01a827f534be57bcc4aaf8d9a18eba6
SHA512

0f8631e2ab6f097c37dd86047ab816a798c7ff2cb5d7632ab07aef81021e745fee882554e57824d8b46d05dfbaf31c293aeeb49887c55c0b9cca2f281aea7769
SSDEEP

3072:OAhnswMzWqBSRGjY9akwgf6A9wZz/MPDox6ia9kJBx8eMCONeNY6hzcXy:9yS6kwgfHwZ7MxlkLJONefCXy

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 9 IoCs

rat

resource	yara_rule
behavioral1/memory/1568-23-0x00000000005C0000-0x00000000005EC000-memory.dmp	netwire
behavioral1/memory/1532-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1532-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1532-34-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1532-36-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1532-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1532-27-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1532-37-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1532-44-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cjbyuc.url	e47938995903c2792020e366716b4c38_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1568 set thread context of 1532	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e47938995903c2792020e366716b4c38_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe
1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2800	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	30
PID 1568 wrote to memory of 2800	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	30
PID 1568 wrote to memory of 2800	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	30
PID 1568 wrote to memory of 2800	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	30
PID 2800 wrote to memory of 1880	2800	csc.exe	32
PID 2800 wrote to memory of 1880	2800	csc.exe	32
PID 2800 wrote to memory of 1880	2800	csc.exe	32
PID 2800 wrote to memory of 1880	2800	csc.exe	32
PID 1568 wrote to memory of 1532	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	33
PID 1568 wrote to memory of 1532	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	33
PID 1568 wrote to memory of 1532	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	33
PID 1568 wrote to memory of 1532	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	33
PID 1568 wrote to memory of 1532	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	33
PID 1568 wrote to memory of 1532	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	33
PID 1568 wrote to memory of 1532	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	33
PID 1568 wrote to memory of 1532	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	33
PID 1568 wrote to memory of 1532	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	33
PID 1568 wrote to memory of 1532	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	33
PID 1568 wrote to memory of 1532	1568	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e47938995903c2792020e366716b4c38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e47938995903c2792020e366716b4c38_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dydcgn1u\dydcgn1u.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB193.tmp" "c:\Users\Admin\AppData\Local\Temp\dydcgn1u\CSCE5AB766950A54D0894FC1CE09CCFD8CB.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1880
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB193.tmp

Filesize
1KB

MD5
33c5d0a5d0ba6b553a9d4aaeb7cb445d

SHA1
f5290d6da19ff3a5e53a100666a0593da9f4cadd

SHA256
c55a60abb89f0da3c39f8000f85af744db8dd78a0749a8e725bbf0732a5bdc54

SHA512
64b9c430fa3074951c69f59fbc72a3692c9f87faa144edf16139879e76b7101b1c7d2dba67a15d14fe51187697a4851e452c52108b0c0a72f31328cd42486f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dydcgn1u\dydcgn1u.dll

Filesize
7KB

MD5
e4562eeca2d100601054ab8966cd6a90

SHA1
c0e4171d7cbab22d9f6f30ceab5411cc4110098c

SHA256
56e306c921fe742b29f2cbf99a4485aeac75bdf36356f96ad0aa3e7f1b39b818

SHA512
d1d017c2bd7acef36e837b0fc1353106f51ba13550f8e60efa3d862c97da48fa37e50f41814d2d0f2bfcbb7003f0d3e95d11a53a94e458c33f2fc5334bff24a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dydcgn1u\dydcgn1u.pdb

Filesize
23KB

MD5
9f3b8adf880d7f4d71e8a1a4dbcfcfc0

SHA1
3f57cc60a964665d1ecb9e5be9a1535ce3a07c59

SHA256
7942d4a7a99d83fd08a61a99c3f9af51d9596f072423051540467a5d4aee891d

SHA512
22856b0aa1d1aa9ff0ee1e82cc4572b9c9e66d1aa4347d5a49304631df68967b64392334f64bde537061b4ccf7729036e29c544d950f5bc2583c0ea031229363

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dydcgn1u\CSCE5AB766950A54D0894FC1CE09CCFD8CB.TMP

Filesize
1KB

MD5
deefffe531af8cedbb19fb0b7923300f

SHA1
b08c705a4918c74bd7fba3bd04b7ddcb6e7aa66f

SHA256
4b41226767f97b3a370c1c67f87da2f562b3908dbce3840f188c0e0ef36cda50

SHA512
9c968a79b887a35176f5a9e273d0aed65d10f5f1e78ea3eed96713a7cb00cf4803b27ea5083e0c0d9256d9e5ff53b0dabd488db37141cb995a5a790e05320d49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dydcgn1u\dydcgn1u.0.cs

Filesize
5KB

MD5
da5046232dc743ed805cf8d24a036f10

SHA1
4ab93ba9f71696071e8edc59c78df5e79b186089

SHA256
c99fb7896746e411f6dde27dc4e1a8b2a155bbe6e6c3acc3685e0763c332508e

SHA512
13fdcda44d7a3babadced66dc3e58d1eb0eba40f11061754ba9d60b529312737e353a0bebebd2c8c350e115d12e05c0859a8acbb5afdafc722b2324d5d0a18f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dydcgn1u\dydcgn1u.cmdline

Filesize
312B

MD5
bde86bd910305bc749ed78415bc6f9b0

SHA1
7e23bb0996599a2c2f70b4527f04d8bb0e7aea34

SHA256
766cfb22cb40da20b53155bb7bfe4f09e8be2591396266faefec6b0d4356271e

SHA512
8f8b5285302129ee2a18f5f56b0d1d74448d320e1ca6e7ce931a9f06b8af1ba24fe03922fa3daacdc96b17a8cd71ea1d879aee6731e6356df42b664d944a3cae

Download Submit
memory/1532-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1532-37-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1532-44-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1532-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1532-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1532-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1532-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1532-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1532-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1532-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1532-34-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1532-36-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1568-23-0x00000000005C0000-0x00000000005EC000-memory.dmp

Filesize
176KB

Download
memory/1568-35-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/1568-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

Filesize
4KB

Download
memory/1568-20-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/1568-19-0x00000000004D0000-0x0000000000502000-memory.dmp

Filesize
200KB

Download
memory/1568-17-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/1568-5-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Filesize
6.9MB

Download
memory/1568-1-0x0000000000FF0000-0x0000000001020000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing