netwire | a7374e3645615c6c1c7326ccdab9c6743ed71723397524a15b1548d2c1a24a15

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe
Size

392KB
MD5

af79eb8a77c46f99d2a80841353679d2
SHA1

d07a388f144864a69d3b1fb9f6b83a5a9fc01b4d
SHA256

a7374e3645615c6c1c7326ccdab9c6743ed71723397524a15b1548d2c1a24a15
SHA512

aa88e883bf3f1c1387283e0e68b40cf13e55501c328ac26efa663c943d9b9bf6f8f0e0d5a8162783feadde3d2e4f7279d6a327ba9c2dc2e77c05042e42e5e3c4
SSDEEP

6144:fNXqRB78GUgn+DTCcfBLy+SnpsuXBKnVN0tYyvrn:VXqr78GU8G98RKVGr

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

wealthyman.brasilia.me:39560

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
WEALTH
keylogger_dir
%AppData%\music\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/7312-17900-0x0000000000400000-0x000000000042C000-memory.dmp netwire
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Bantamvgteren.exe

pid process

7312 Bantamvgteren.exe
Drops file in Windows directory 2 IoCs

Processes:

af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exeBantamvgteren.exe

description ioc process

File opened for modification C:\Windows\win.ini af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe
File opened for modification C:\Windows\win.ini Bantamvgteren.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

7176 schtasks.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exeBantamvgteren.exe

pid process

2804 af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe
7312 Bantamvgteren.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Bantamvgteren.exe

pid process

7312 Bantamvgteren.exe

resource	yara_rule
behavioral1/memory/7312-17900-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

pid	process
7312	Bantamvgteren.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe
File opened for modification	C:\Windows\win.ini	Bantamvgteren.exe

pid	process
7176	schtasks.exe

pid	process
2804	af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe
7312	Bantamvgteren.exe

pid	process
7312	Bantamvgteren.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exetaskeng.exe

description	pid	process	target process
PID 2804 wrote to memory of 7176	2804	af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe	schtasks.exe
PID 2804 wrote to memory of 7176	2804	af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe	schtasks.exe
PID 2804 wrote to memory of 7176	2804	af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe	schtasks.exe
PID 2804 wrote to memory of 7176	2804	af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe	schtasks.exe
PID 2804 wrote to memory of 7248	2804	af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe	schtasks.exe
PID 2804 wrote to memory of 7248	2804	af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe	schtasks.exe
PID 2804 wrote to memory of 7248	2804	af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe	schtasks.exe
PID 2804 wrote to memory of 7248	2804	af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe	schtasks.exe
PID 7280 wrote to memory of 7312	7280	taskeng.exe	Bantamvgteren.exe
PID 7280 wrote to memory of 7312	7280	taskeng.exe	Bantamvgteren.exe
PID 7280 wrote to memory of 7312	7280	taskeng.exe	Bantamvgteren.exe
PID 7280 wrote to memory of 7312	7280	taskeng.exe	Bantamvgteren.exe

C:\Users\Admin\AppData\Local\Temp\af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af79eb8a77c46f99d2a80841353679d2_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Minters4" /TR "C:\Users\Admin\AppData\Local\Temp\Bantamvgteren.exe"
2⤵
- Creates scheduled task(s)
PID:7176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /run /tn "Minters4"
2⤵
PID:7248

C:\Windows\system32\taskeng.exe
taskeng.exe {B5620E5B-E1A9-43DE-BFAD-812FE17665B2} S-1-5-21-1340930862-1405011213-2821322012-1000:TICCAUTD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:7280

C:\Users\Admin\AppData\Local\Temp\Bantamvgteren.exe
C:\Users\Admin\AppData\Local\Temp\Bantamvgteren.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:7312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bantamvgteren.exe
Filesize
392KB

MD5
cd2bd627123db0ea0c2bbb428e830bfb

SHA1
3cc80c258bb30b2ad4815427ec57b7a19ba2cc00

SHA256
480310f5e5d0605c22a5cf739559a6f2176220b0df7a488ae1753ca33e186a46

SHA512
e4ac28d670eb47733e1368dc1b8b8864943e552bd17bc682bd56920c21e218264f555f3833f1e9733cf706b45ac26e7d7c9280b50136e9facf25bc5340bcb1a2

Download Submit
C:\Windows\win.ini
Filesize
497B

MD5
80f15b158c49b73757d1dde727355db7

SHA1
212a5c033130af8e8254d2b7a4a6c8762628ec91

SHA256
0df5cecf65125ca8de5b8a599400bda1aa3700b43f9f73ac91c2261da7946368

SHA512
767af13228a26d8b8ff2dfdefa223045638df6e37d4e614274c425e2e70cd12125a933946da286c1375e892668decd732300e22d301b4c8087f887dabf13050a

Download Submit
C:\Windows\win.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2804-8947-0x00000000770B0000-0x0000000077186000-memory.dmp

Filesize
856KB

Download
memory/2804-8948-0x000000000BAA0000-0x000000000C55A000-memory.dmp

Filesize
10.7MB

Download
memory/7312-17900-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download