netwire | 0f7061b3e130e6e74d13a7c11fe4d6fb210c0fc4d26ec98b576169cbe5527cd9

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe
Size

475KB
MD5

a38ad704ae67462e8890bbd7738c58e2
SHA1

0345707df4df630de7520c6901a08a39332c7731
SHA256

0f7061b3e130e6e74d13a7c11fe4d6fb210c0fc4d26ec98b576169cbe5527cd9
SHA512

65236d0caa6b5307db81dd2b2cef139b8f653ee87d992a1cd29675c193f16206ed6e83d33c8bdff83057fa5d08502b8f8ec8929c4b7505dabc873c43a75abfbd
SSDEEP

6144:Fr/BPeMTuxDmJh6YGdFWSSb/0zCPwFqz0JYnbN2FGU7pnMV2l0kEB1e:F9LIm76YG/WSSb/0QRbgF77pMcaB1

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

178.32.72.136:3361

193.124.0.151:3362

Attributes

activex_autorun
true
activex_key
{0QG8J5X8-8ATR-63E7-Y066-IIX78EN8O68E}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Skype.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
kgTjYgBY
offline_keylogger
true
password
ebefob44
registry_autorun
true
startup_name
TeamViewer
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/2060-15-0x0000000000400000-0x000000000047C000-memory.dmp netwire
behavioral1/memory/2060-22-0x0000000000400000-0x000000000047C000-memory.dmp netwire
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Skype.exe

pid process

2776 Skype.exe
Loads dropped DLL 1 IoCs

Processes:

a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe

pid process

2060 a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exeSkype.exe

pid process

2060 a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe
2060 a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe
2776 Skype.exe
2776 Skype.exe

resource	yara_rule
behavioral1/memory/2060-15-0x0000000000400000-0x000000000047C000-memory.dmp	netwire
behavioral1/memory/2060-22-0x0000000000400000-0x000000000047C000-memory.dmp	netwire

pid	process
2776	Skype.exe

pid	process
2060	a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe

pid	process
2060	a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe
2060	a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe
2776	Skype.exe
2776	Skype.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe

description	pid	process	target process
PID 2060 wrote to memory of 2776	2060	a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe	Skype.exe
PID 2060 wrote to memory of 2776	2060	a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe	Skype.exe
PID 2060 wrote to memory of 2776	2060	a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe	Skype.exe
PID 2060 wrote to memory of 2776	2060	a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe	Skype.exe

C:\Users\Admin\AppData\Local\Temp\a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Roaming\Install\Skype.exe
-m "C:\Users\Admin\AppData\Local\Temp\a38ad704ae67462e8890bbd7738c58e2_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2776

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Install\Skype.exe
Filesize
475KB

MD5
a38ad704ae67462e8890bbd7738c58e2

SHA1
0345707df4df630de7520c6901a08a39332c7731

SHA256
0f7061b3e130e6e74d13a7c11fe4d6fb210c0fc4d26ec98b576169cbe5527cd9

SHA512
65236d0caa6b5307db81dd2b2cef139b8f653ee87d992a1cd29675c193f16206ed6e83d33c8bdff83057fa5d08502b8f8ec8929c4b7505dabc873c43a75abfbd

Download Submit
memory/2060-8-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-4-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-7-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-5-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-14-0x0000000000490000-0x00000000004CA000-memory.dmp

Filesize
232KB

Download
memory/2060-3-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-9-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-13-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-6-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-2-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-1-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-12-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-11-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-10-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/2060-15-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2060-0-0x0000000000490000-0x00000000004CA000-memory.dmp

Filesize
232KB

Download
memory/2060-22-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads