netwire | 4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe
Size

1.4MB
MD5

908e3a6b1be1e25fb3dfd90dd368e62a
SHA1

91e8bac12c6374e3b9d05ee7380b6bb58a0a5723
SHA256

4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2
SHA512

3aa1a0d63f6402f4508b4b09683f3c2cdd72930fe3c452eb874e487f127b3f53e40fae49168cca317face99fbb6bce802d3defac9e39d5677dffb311cd7fb585
SSDEEP

24576:ru6J3xO0c+JY5UZ+XCHkGso6Fa720W4njUprvVcC1f2o5RRfgdWYi:Fo0c++OCokGs9Fa+rd1f26RNYi

Score

10^/10

netwire warzonerat botnet discovery infostealer rat stealer

Malware Config

Extracted

Family

netwire

Wealthy2019.com.strangled.net:20190

wealthyme.ddns.net:20190

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Host.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

wealth.warzonedns.com:5202

Signatures

NetWire RAT payload 11 IoCs

rat

resource	yara_rule
behavioral1/memory/2512-0-0x0000000000B10000-0x0000000000C7B000-memory.dmp	netwire
behavioral1/files/0x000d000000012254-3.dat	netwire
behavioral1/memory/2324-24-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2512-41-0x0000000000B10000-0x0000000000C7B000-memory.dmp	netwire
behavioral1/memory/1424-47-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/files/0x0007000000016c36-52.dat	netwire
behavioral1/memory/2376-54-0x0000000000F00000-0x000000000106B000-memory.dmp	netwire
behavioral1/memory/2376-83-0x0000000000F00000-0x000000000106B000-memory.dmp	netwire
behavioral1/memory/1424-89-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/320-91-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1480-118-0x0000000000F00000-0x000000000106B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Netwire family
netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2664-30-0x0000000000080000-0x000000000009D000-memory.dmp	warzonerat
behavioral1/memory/2664-39-0x0000000000080000-0x000000000009D000-memory.dmp	warzonerat

Executes dropped EXE 8 IoCs

pid	Process
2324	Blasthost.exe
1424	Host.exe
2376	RtDCpl64.exe
320	Blasthost.exe
1528	RtDCpl64.exe
1480	RtDCpl64.exe
2964	Blasthost.exe
2156	RtDCpl64.exe

Loads dropped DLL 13 IoCs

pid	Process
2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe
2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe
2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe
2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe
2324	Blasthost.exe
2324	Blasthost.exe
2376	RtDCpl64.exe
2376	RtDCpl64.exe
2376	RtDCpl64.exe
2376	RtDCpl64.exe
1480	RtDCpl64.exe
1480	RtDCpl64.exe
1480	RtDCpl64.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2512-0-0x0000000000B10000-0x0000000000C7B000-memory.dmp	autoit_exe
behavioral1/memory/2512-41-0x0000000000B10000-0x0000000000C7B000-memory.dmp	autoit_exe
behavioral1/files/0x0007000000016c36-52.dat	autoit_exe
behavioral1/memory/2376-54-0x0000000000F00000-0x000000000106B000-memory.dmp	autoit_exe
behavioral1/memory/2376-83-0x0000000000F00000-0x000000000106B000-memory.dmp	autoit_exe
behavioral1/memory/1480-118-0x0000000000F00000-0x000000000106B000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 2664	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	33
PID 2376 set thread context of 1528	2376	RtDCpl64.exe	41
PID 1480 set thread context of 2156	1480	RtDCpl64.exe	49

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blasthost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtDCpl64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtDCpl64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtDCpl64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtDCpl64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2896	schtasks.exe
324	schtasks.exe
2936	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2324	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	31
PID 2512 wrote to memory of 2324	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	31
PID 2512 wrote to memory of 2324	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	31
PID 2512 wrote to memory of 2324	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	31
PID 2324 wrote to memory of 1424	2324	Blasthost.exe	32
PID 2324 wrote to memory of 1424	2324	Blasthost.exe	32
PID 2324 wrote to memory of 1424	2324	Blasthost.exe	32
PID 2324 wrote to memory of 1424	2324	Blasthost.exe	32
PID 2512 wrote to memory of 2664	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	33
PID 2512 wrote to memory of 2664	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	33
PID 2512 wrote to memory of 2664	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	33
PID 2512 wrote to memory of 2664	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	33
PID 2512 wrote to memory of 2664	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	33
PID 2512 wrote to memory of 2664	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	33
PID 2664 wrote to memory of 2948	2664	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	34
PID 2664 wrote to memory of 2948	2664	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	34
PID 2664 wrote to memory of 2948	2664	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	34
PID 2664 wrote to memory of 2948	2664	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	34
PID 2512 wrote to memory of 2936	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	36
PID 2512 wrote to memory of 2936	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	36
PID 2512 wrote to memory of 2936	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	36
PID 2512 wrote to memory of 2936	2512	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	36
PID 2664 wrote to memory of 2948	2664	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	34
PID 2664 wrote to memory of 2948	2664	4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe	34
PID 2384 wrote to memory of 2376	2384	taskeng.exe	39
PID 2384 wrote to memory of 2376	2384	taskeng.exe	39
PID 2384 wrote to memory of 2376	2384	taskeng.exe	39
PID 2384 wrote to memory of 2376	2384	taskeng.exe	39
PID 2376 wrote to memory of 320	2376	RtDCpl64.exe	40
PID 2376 wrote to memory of 320	2376	RtDCpl64.exe	40
PID 2376 wrote to memory of 320	2376	RtDCpl64.exe	40
PID 2376 wrote to memory of 320	2376	RtDCpl64.exe	40
PID 2376 wrote to memory of 1528	2376	RtDCpl64.exe	41
PID 2376 wrote to memory of 1528	2376	RtDCpl64.exe	41
PID 2376 wrote to memory of 1528	2376	RtDCpl64.exe	41
PID 2376 wrote to memory of 1528	2376	RtDCpl64.exe	41
PID 2376 wrote to memory of 1528	2376	RtDCpl64.exe	41
PID 2376 wrote to memory of 1528	2376	RtDCpl64.exe	41
PID 2376 wrote to memory of 2896	2376	RtDCpl64.exe	43
PID 2376 wrote to memory of 2896	2376	RtDCpl64.exe	43
PID 2376 wrote to memory of 2896	2376	RtDCpl64.exe	43
PID 2376 wrote to memory of 2896	2376	RtDCpl64.exe	43
PID 1528 wrote to memory of 2732	1528	RtDCpl64.exe	42
PID 1528 wrote to memory of 2732	1528	RtDCpl64.exe	42
PID 1528 wrote to memory of 2732	1528	RtDCpl64.exe	42
PID 1528 wrote to memory of 2732	1528	RtDCpl64.exe	42
PID 1528 wrote to memory of 2732	1528	RtDCpl64.exe	42
PID 1528 wrote to memory of 2732	1528	RtDCpl64.exe	42
PID 2384 wrote to memory of 1480	2384	taskeng.exe	47
PID 2384 wrote to memory of 1480	2384	taskeng.exe	47
PID 2384 wrote to memory of 1480	2384	taskeng.exe	47
PID 2384 wrote to memory of 1480	2384	taskeng.exe	47
PID 1480 wrote to memory of 2964	1480	RtDCpl64.exe	48
PID 1480 wrote to memory of 2964	1480	RtDCpl64.exe	48
PID 1480 wrote to memory of 2964	1480	RtDCpl64.exe	48
PID 1480 wrote to memory of 2964	1480	RtDCpl64.exe	48
PID 1480 wrote to memory of 2156	1480	RtDCpl64.exe	49
PID 1480 wrote to memory of 2156	1480	RtDCpl64.exe	49
PID 1480 wrote to memory of 2156	1480	RtDCpl64.exe	49
PID 1480 wrote to memory of 2156	1480	RtDCpl64.exe	49
PID 1480 wrote to memory of 2156	1480	RtDCpl64.exe	49
PID 1480 wrote to memory of 2156	1480	RtDCpl64.exe	49
PID 2156 wrote to memory of 2168	2156	RtDCpl64.exe	50
PID 2156 wrote to memory of 2168	2156	RtDCpl64.exe	50

C:\Users\Admin\AppData\Local\Temp\4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe
"C:\Users\Admin\AppData\Local\Temp\4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Roaming\Blasthost.exe
  "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
    "C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"
    3⤵
    - Executes dropped EXE
    PID:1424
- C:\Users\Admin\AppData\Local\Temp\4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe
  "C:\Users\Admin\AppData\Local\Temp\4df108ad77d4449b1146a8c340b75b730fce8d0bc4ceefebebd5575dfd5951c2.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2936

C:\Windows\system32\taskeng.exe
taskeng.exe {513A1688-FE93-4362-AF97-DEA7213C6D01} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Roaming\Blasthost.exe
    "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
    3⤵
    - Executes dropped EXE
    PID:320
- - C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2732
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2896
- C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Roaming\Blasthost.exe
    "C:\Users\Admin\AppData\Roaming\Blasthost.exe"
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
    "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2168
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

Filesize
1.4MB

MD5
c77270106378e2234682ba04ca4b4c4c

SHA1
e83c2e78c4fbffd3ad04c81a2428ff664d0deca1

SHA256
0bc6b45c73d7ef52f6baf652685222d025d4ff82f29f620f5bd1e45179e8c4d5

SHA512
4961a9cf6f2a2ffe3ba8ec83d08e5753013c964e214da47cfd90232f72267d41c2492c4bb2069f02119dceeec8d37914fdd5eecd92781c299b8a7c0ee3311565

Download Submit
\Users\Admin\AppData\Roaming\Blasthost.exe

Filesize
132KB

MD5
6087bf6af59b9c531f2c9bb421d5e902

SHA1
8bc0f1596c986179b82585c703bacae6d2a00316

SHA256
3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c

SHA512
c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

Download Submit
memory/320-91-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1424-47-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1424-89-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1480-118-0x0000000000F00000-0x000000000106B000-memory.dmp

Filesize
1.4MB

Download
memory/1528-79-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2324-24-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2376-83-0x0000000000F00000-0x000000000106B000-memory.dmp

Filesize
1.4MB

Download
memory/2376-54-0x0000000000F00000-0x000000000106B000-memory.dmp

Filesize
1.4MB

Download
memory/2512-41-0x0000000000B10000-0x0000000000C7B000-memory.dmp

Filesize
1.4MB

Download
memory/2512-0-0x0000000000B10000-0x0000000000C7B000-memory.dmp

Filesize
1.4MB

Download
memory/2512-26-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2664-30-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/2664-39-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/2664-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-27-0x0000000000080000-0x000000000009D000-memory.dmp

Filesize
116KB

Download
memory/2732-86-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2948-42-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2948-44-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads