netwire | 2c1cef7d208ce8f0094415d06cc61fa37dd9c9308cfcd9fde0f7a32703220e90

General

Target

vmclang.exe
Size

5.8MB
MD5

023ae9c9494ea1d4c24dcbfe7892c611
SHA1

2fff1f353cb6946d6f226050e710d4bc0cf4d16e
SHA256

2c1cef7d208ce8f0094415d06cc61fa37dd9c9308cfcd9fde0f7a32703220e90
SHA512

d2f1a3a1539a3e2359df28b274da3676718ccf2500ccceb8ed7e695d1e18b5344551b68a27c501c0ee4e0279f357b684ab1b04d3929357d6d478e26237e82d25

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4176-3-0x0000000000000000-mapping.dmp	netwire
behavioral2/memory/4176-4-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Drops file in Windows directory 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Windows\Tasks\vmclang.job notepad.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vmclang.exeextrac32.exe

pid process

4700 vmclang.exe
5112 extrac32.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

extrac32.exe

pid process

5112 extrac32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vmclang.exe

pid process

4700 vmclang.exe

description	ioc	process
File created	C:\Windows\Tasks\vmclang.job	notepad.exe

pid	process
4700	vmclang.exe
5112	extrac32.exe

pid	process
5112	extrac32.exe

pid	process
4700	vmclang.exe

Suspicious use of WriteProcessMemory 159 IoCs

Processes:

vmclang.exe

description	pid	process	target process
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe
PID 4700 wrote to memory of 5112	4700	vmclang.exe	extrac32.exe

C:\Users\Admin\AppData\Local\Temp\vmclang.exe
"C:\Users\Admin\AppData\Local\Temp\vmclang.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\SysWOW64\extrac32.exe
"C:\Windows\system32\extrac32.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5112

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
- Drops file in Windows directory
PID:4176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4176-3-0x0000000000000000-mapping.dmp

Download
memory/4176-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5112-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads