netwire | cd452913de86b1fe2e5ffd2489769fdc4c3900848f04481710a2e669b69d0e64

General

Target

bola.exe
Size

916KB
MD5

b91a3a7f7fa25bdb645550906e15ba65
SHA1

6d4bb0f94257f9928d4ccdcaf6bd025b64242c72
SHA256

cd452913de86b1fe2e5ffd2489769fdc4c3900848f04481710a2e669b69d0e64
SHA512

4fe893890119a4291493825272b5032e4bbda3f105fec934f7beee57defa7b984a1361138612eb33d7c8e12726af59c9659a6fae5a1209eb2c8241df726a42dc

Score

10^/10

rat botnet stealer netwire

Malware Config

Signatures

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

bola.exenotepad.exekjuy.exe

description	pid	process	target process
PID 2728 wrote to memory of 3936	2728	bola.exe	notepad.exe
PID 2728 wrote to memory of 3936	2728	bola.exe	notepad.exe
PID 2728 wrote to memory of 3936	2728	bola.exe	notepad.exe
PID 2728 wrote to memory of 3936	2728	bola.exe	notepad.exe
PID 2728 wrote to memory of 3936	2728	bola.exe	notepad.exe
PID 3936 wrote to memory of 4024	3936	notepad.exe	kjuy.exe
PID 3936 wrote to memory of 4024	3936	notepad.exe	kjuy.exe
PID 3936 wrote to memory of 4024	3936	notepad.exe	kjuy.exe
PID 4024 wrote to memory of 1836	4024	kjuy.exe	kjuy.exe
PID 4024 wrote to memory of 1836	4024	kjuy.exe	kjuy.exe
PID 4024 wrote to memory of 1836	4024	kjuy.exe	kjuy.exe
PID 4024 wrote to memory of 3700	4024	kjuy.exe	kjuy.exe
PID 4024 wrote to memory of 3700	4024	kjuy.exe	kjuy.exe
PID 4024 wrote to memory of 3700	4024	kjuy.exe	kjuy.exe

Executes dropped EXE 3 IoCs

Processes:

kjuy.exekjuy.exekjuy.exe

pid process

4024 kjuy.exe
1836 kjuy.exe
3700 kjuy.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

kjuy.exe

description pid process target process

PID 4024 set thread context of 1836 4024 kjuy.exe kjuy.exe
NTFS ADS 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe:ZoneIdentifier notepad.exe
Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghbn.vbs notepad.exe

pid	process
4024	kjuy.exe
1836	kjuy.exe
3700	kjuy.exe

description	pid	process	target process
PID 4024 set thread context of 1836	4024	kjuy.exe	kjuy.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe:ZoneIdentifier	notepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghbn.vbs	notepad.exe

Suspicious behavior: EnumeratesProcesses 828 IoCs

Processes:

bola.exekjuy.exekjuy.exe

pid	process
2728	bola.exe
2728	bola.exe
4024	kjuy.exe
4024	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe
3700	kjuy.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

kjuy.exe

pid process

4024 kjuy.exe

pid	process
4024	kjuy.exe

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1836-4-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1836-8-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

C:\Users\Admin\AppData\Local\Temp\bola.exe
"C:\Users\Admin\AppData\Local\Temp\bola.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
- Drops startup file
PID:3936

C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe
"C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4024

C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe
"C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe"
4⤵
- Executes dropped EXE
PID:1836

C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe
"C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe" 2 1836 166593
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe

Download Submit
C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe

Download Submit
C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe

Download Submit
C:\Users\Admin\AppData\Roaming\rtyt\kjuy.exe

Download Submit
memory/1836-5-0x000000000040242D-mapping.dmp

Download
memory/1836-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3700-7-0x0000000000000000-mapping.dmp

Download
memory/3936-0-0x0000000000000000-mapping.dmp

Download
memory/4024-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads