netwire | 09a4637db3d0b1cbf3114013c150d89ba01a827f534be57bcc4aaf8d9a18eba6

General

Target

e47938995903c2792020e366716b4c38_JaffaCakes118.exe
Size

167KB
MD5

e47938995903c2792020e366716b4c38
SHA1

5418d60c95e010dc50cee453eaef400f9cc1dfbd
SHA256

09a4637db3d0b1cbf3114013c150d89ba01a827f534be57bcc4aaf8d9a18eba6
SHA512

0f8631e2ab6f097c37dd86047ab816a798c7ff2cb5d7632ab07aef81021e745fee882554e57824d8b46d05dfbaf31c293aeeb49887c55c0b9cca2f281aea7769
SSDEEP

3072:OAhnswMzWqBSRGjY9akwgf6A9wZz/MPDox6ia9kJBx8eMCONeNY6hzcXy:9yS6kwgfHwZ7MxlkLJONefCXy

Score

10^/10

netwire botnet discovery rat stealer

Malware Config

Extracted

Family

netwire

C2

extensions14718.sytes.net:3324

extensions14718sec.sytes.net:3324

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
YbcwLUQv
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral2/memory/1616-24-0x0000000005140000-0x000000000516C000-memory.dmp	netwire
behavioral2/memory/4100-26-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4100-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4100-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4100-32-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/4100-39-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cjbyuc.url	e47938995903c2792020e366716b4c38_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1616 set thread context of 4100	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e47938995903c2792020e366716b4c38_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe
1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 3372	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	82
PID 1616 wrote to memory of 3372	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	82
PID 1616 wrote to memory of 3372	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	82
PID 3372 wrote to memory of 2984	3372	csc.exe	84
PID 3372 wrote to memory of 2984	3372	csc.exe	84
PID 3372 wrote to memory of 2984	3372	csc.exe	84
PID 1616 wrote to memory of 4100	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	85
PID 1616 wrote to memory of 4100	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	85
PID 1616 wrote to memory of 4100	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	85
PID 1616 wrote to memory of 4100	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	85
PID 1616 wrote to memory of 4100	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	85
PID 1616 wrote to memory of 4100	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	85
PID 1616 wrote to memory of 4100	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	85
PID 1616 wrote to memory of 4100	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	85
PID 1616 wrote to memory of 4100	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	85
PID 1616 wrote to memory of 4100	1616	e47938995903c2792020e366716b4c38_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\e47938995903c2792020e366716b4c38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e47938995903c2792020e366716b4c38_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ey1acou2\ey1acou2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65BF.tmp" "c:\Users\Admin\AppData\Local\Temp\ey1acou2\CSCDAF5407F2A934631A557870575D7790.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES65BF.tmp

Filesize
1KB

MD5
a8d8fe8fa323761e1a96acef9502974b

SHA1
efcee407ec3825adab5d7d070fd6db65b70bac4c

SHA256
d77ff2fe57b155a320ee035d7076339338bf79bd4393e4766df6bf434e56e330

SHA512
47407c1aa0dd2f41a7c14842d28ba7ba0d55f812a037286113131ae87b299409e5a5486c0d4a8d67a40ed0a3e7a6a4fc59866f8b2812e3c090b593aeb07fc535

Download Submit
C:\Users\Admin\AppData\Local\Temp\ey1acou2\ey1acou2.dll

Filesize
7KB

MD5
43ecd3c84db3c81de589d44097c7795f

SHA1
de123f7675aec20dce2aa2396e73c4a34c781827

SHA256
4207eaac42a88cea68d72e1f6d96e0a264986e09d43f7d907517d08b298d20dd

SHA512
38bce8b0ffbb1cdabbf31376c9af51a0d078b2a1e1538696c3835c9c00c0bfefd4269780185a169a9bce92051e308de13057c993d351c2ae68aee2ceb4f94e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ey1acou2\ey1acou2.pdb

Filesize
23KB

MD5
5c0567b299b182d0f3e1acaff1afac34

SHA1
a88b280fa512fd87cfba67e744c2e2f04ba406bc

SHA256
e8a913514492d79c27528913be0305fbc37d218bfe39233bd8c5adeb209b5681

SHA512
29f6e87134efe393f87f7beded5761ba46957660664c6ce20e333a6b2624645c0a6b5e4fb3f897dc3a89accd34d771e37a2008fc8c4c6038165e2885acddda48

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ey1acou2\CSCDAF5407F2A934631A557870575D7790.TMP

Filesize
1KB

MD5
5164e60fea7fe7d08ce5bc3abc410963

SHA1
f4faf7838525c9c66a47f5a6476bfd6bc487b4de

SHA256
2aeaacdc6788e606ede04f372123d8fd8445eacb705798525f8a4923d704417f

SHA512
d7837ff9302cd60f1fd5fe6ab732cbcb45ac9a853102c7f91065b455a296894fafae18fb4a0f729488f9570b44b18854e2dce13947b54ec3bd0aca3c9455295d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ey1acou2\ey1acou2.0.cs

Filesize
5KB

MD5
da5046232dc743ed805cf8d24a036f10

SHA1
4ab93ba9f71696071e8edc59c78df5e79b186089

SHA256
c99fb7896746e411f6dde27dc4e1a8b2a155bbe6e6c3acc3685e0763c332508e

SHA512
13fdcda44d7a3babadced66dc3e58d1eb0eba40f11061754ba9d60b529312737e353a0bebebd2c8c350e115d12e05c0859a8acbb5afdafc722b2324d5d0a18f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ey1acou2\ey1acou2.cmdline

Filesize
312B

MD5
a3c39d5f78af3a1a7ac17dd8772e472a

SHA1
2d282de655525cda4d242a4301ada325f3581106

SHA256
79f5b997978c24d890e56ffa56915e01f9a6591ddf75a861a04cd6d83f9d84c5

SHA512
1be0be625888c492e30fe7be221c2e0fd98e5f8398ea55afd4636bf05aa5f0b82b5c13882e8c178eb1149c7dc469e3139c24a9fbda8674cd7402d7123a97b536

Download Submit
memory/1616-19-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/1616-24-0x0000000005140000-0x000000000516C000-memory.dmp

Filesize
176KB

Download
memory/1616-1-0x00000000004F0000-0x0000000000520000-memory.dmp

Filesize
192KB

Download
memory/1616-17-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/1616-0-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/1616-20-0x0000000004F20000-0x0000000004F52000-memory.dmp

Filesize
200KB

Download
memory/1616-21-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/1616-5-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/1616-25-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/1616-31-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4100-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4100-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4100-26-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4100-32-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4100-39-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing