netwire | 1ac0260e031d5ad4709225c2b25d4228778743af7f9c7da0cd433fd9466cf4fb

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a89049859aed13029acec8420258457b_JaffaCakes118.exe
Size

386KB
MD5

a89049859aed13029acec8420258457b
SHA1

41b8d309f841f8dc55e6dc72c1b2efd84201d174
SHA256

1ac0260e031d5ad4709225c2b25d4228778743af7f9c7da0cd433fd9466cf4fb
SHA512

653d1d046c3b452e3a93270c4b29e2209e59d7f1cff05aca9bf1d6c669eee286792d6225805d24b35254d60f6181b1ce9195f7e79d0e9ecfc805fe95d28ce721
SSDEEP

6144:12dzTxBUbCHWPEo1P/B2Pxz5U0oSDPkKwjmGmDC4RPkVBwWe:1SzTxBUuHWPZ460oSDhcaleg

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

fingers1.ddns.net:3360

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1368-23-0x0000000005430000-0x000000000545C000-memory.dmp	netwire
behavioral2/memory/1772-25-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1772-28-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1772-29-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1772-31-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Drops startup file 1 IoCs

Processes:

a89049859aed13029acec8420258457b_JaffaCakes118.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url a89049859aed13029acec8420258457b_JaffaCakes118.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

a89049859aed13029acec8420258457b_JaffaCakes118.exe

description pid process target process

PID 1368 set thread context of 1772 1368 a89049859aed13029acec8420258457b_JaffaCakes118.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a89049859aed13029acec8420258457b_JaffaCakes118.exe

pid process

1368 a89049859aed13029acec8420258457b_JaffaCakes118.exe
1368 a89049859aed13029acec8420258457b_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a89049859aed13029acec8420258457b_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1368 a89049859aed13029acec8420258457b_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	a89049859aed13029acec8420258457b_JaffaCakes118.exe

description	pid	process	target process
PID 1368 set thread context of 1772	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	vbc.exe

pid	process
1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe
1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

a89049859aed13029acec8420258457b_JaffaCakes118.execsc.exe

description	pid	process	target process
PID 1368 wrote to memory of 264	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	csc.exe
PID 1368 wrote to memory of 264	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	csc.exe
PID 1368 wrote to memory of 264	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	csc.exe
PID 264 wrote to memory of 1560	264	csc.exe	cvtres.exe
PID 264 wrote to memory of 1560	264	csc.exe	cvtres.exe
PID 264 wrote to memory of 1560	264	csc.exe	cvtres.exe
PID 1368 wrote to memory of 1772	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	vbc.exe
PID 1368 wrote to memory of 1772	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	vbc.exe
PID 1368 wrote to memory of 1772	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	vbc.exe
PID 1368 wrote to memory of 1772	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	vbc.exe
PID 1368 wrote to memory of 1772	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	vbc.exe
PID 1368 wrote to memory of 1772	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	vbc.exe
PID 1368 wrote to memory of 1772	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	vbc.exe
PID 1368 wrote to memory of 1772	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	vbc.exe
PID 1368 wrote to memory of 1772	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	vbc.exe
PID 1368 wrote to memory of 1772	1368	a89049859aed13029acec8420258457b_JaffaCakes118.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a89049859aed13029acec8420258457b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a89049859aed13029acec8420258457b_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mcksntxp\mcksntxp.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AE4.tmp" "c:\Users\Admin\AppData\Local\Temp\mcksntxp\CSC5FFA503B7636430187805F54E7512356.TMP"
3⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4AE4.tmp
Filesize
1KB

MD5
26fec07371cc334298cbb4769a02f5cd

SHA1
43a8579e4d2c5150c56ac427de97f6d7b4bef24b

SHA256
9e3585d7e3b38cefd111e807ed0ff80173dcaa992797c31e83bbe5e9084e5dfd

SHA512
e7f60a502be89b39326c7d433e821bc1e60695c3752da5fb6fe785487710730e67d7152cb1323c4f53da07706067d5ef17db52579368bb6e8c4e1a3507692440

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcksntxp\mcksntxp.dll
Filesize
11KB

MD5
aaf7ae200c778619c4719fc5b058e675

SHA1
b1001c376ba0840bb1f0acf1a77e78540789037a

SHA256
c17071c8dfec0a23817d1e1a8c367e44016641ec20823f9ac59e76425c9a0864

SHA512
4e2651f91bb59bb3ab17ce63fedacb3f7640c1dc5b104a5893cf4a60476b0db293ada7fb2019c2675244b0926e79ab1b9710a07c6ebebd14b660f1ba4516042b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcksntxp\mcksntxp.pdb
Filesize
39KB

MD5
fff3b5886d5cc5a13e63ed6e7d7cea92

SHA1
ea8662cdc5d9da073e2e0d4e188370eea5f51d58

SHA256
09e9fc3c170f1d37e04b4cf71dda819f418a89fa1eff8b235d8fd4611c2a7f12

SHA512
da7930201556144bee16b6c4075f04dc978783136a75e1e309e14ab253ae544241d2e70b0bf65229ec5bad6543bb45628f8283ae27c6706083659e9bdc9f04c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mcksntxp\CSC5FFA503B7636430187805F54E7512356.TMP
Filesize
1KB

MD5
b6c3f706ccd835cc656781218b60029e

SHA1
4ac3dd855bfc3dbda87a17c3e92a20613a144943

SHA256
18dc4a9478e75fdad0b93ab5eed6e4799a9ae1d953ffbec10ca96b817f27cb26

SHA512
9e82f4da1956db7b7f83d9bc4ec711be811721dce60b8460fdb3eb0e48333ec253c076a5f106adb2c219f9d6d5607daba2a887cbff4cecb70ae2728c7ab2fbcf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mcksntxp\mcksntxp.0.cs
Filesize
18KB

MD5
af72a16c092d21be1afe566f637b16b6

SHA1
27b6037fbfea202ba4f7550b0adf81c6bc23aebc

SHA256
ed03bd1520cdedef25f84f60ac2049ce0c4d1e3512cd4846b4d6d552bf8becdb

SHA512
0da4e353054d1b28637f039e41de35a875c207ce953d62ceff2167bdcc9bf8fe0f70c66eb522fe46dab2990167cc2f37da875f8b293a467a3f9ae3458ea2cfeb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mcksntxp\mcksntxp.cmdline
Filesize
312B

MD5
a97866579fce67144b8d43bff273addb

SHA1
3349dcf17e90d9b3b273fe855f73afa910aeb644

SHA256
3c57076c96d834e9be4ebf5dec82a6a3506d455316334ecc3b22d2e0ee5d81a9

SHA512
f4bd2d596f91570f6bf5688e52be89817b65404936197f587bebbfdfd005d0037f064c7e19b2ee383285bc2e7c80a8c7b7020988785c91f293f76a9fa40fc8cf

Download Submit
memory/1368-19-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/1368-23-0x0000000005430000-0x000000000545C000-memory.dmp

Filesize
176KB

Download
memory/1368-1-0x00000000005A0000-0x0000000000606000-memory.dmp

Filesize
408KB

Download
memory/1368-17-0x00000000029D0000-0x00000000029DA000-memory.dmp

Filesize
40KB

Download
memory/1368-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

Filesize
4KB

Download
memory/1368-20-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/1368-21-0x0000000004F60000-0x0000000004F6C000-memory.dmp

Filesize
48KB

Download
memory/1368-5-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1368-24-0x00000000056B0000-0x000000000574C000-memory.dmp

Filesize
624KB

Download
memory/1368-30-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1772-28-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1772-29-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1772-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1772-31-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download