netwire | 9d84b1d50b931d6ef5a0b45ca33fe995dab90bc05181b2d2cd5f996fa2bc7c1c

General

Target

TNT TRACKING DETAILS.exe
Size

298KB
MD5

cb35b37456ce49e77239d5225900686b
SHA1

5e87cdd7a939828fb9772cf5e9baef6184549bea
SHA256

9d84b1d50b931d6ef5a0b45ca33fe995dab90bc05181b2d2cd5f996fa2bc7c1c
SHA512

de3332bd3cf13bb96c9f309c6914395339aa45e56339ae291307cfbdbcd22005cd4b9b36888901b9c9be6ab63b7e88134151aaf375920593401053c0296f91a9

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1632-3-0x0000000000400000-0x000000000043E000-memory.dmp	netwire
behavioral1/memory/1632-4-0x000000000040188B-mapping.dmp	netwire
behavioral1/memory/1632-5-0x0000000000400000-0x000000000043E000-memory.dmp	netwire
behavioral1/memory/1632-9-0x00000000002E0000-0x0000000000309000-memory.dmp	netwire
behavioral1/memory/1632-13-0x000000000040188B-mapping.dmp	netwire
behavioral1/memory/1632-12-0x000000000040188B-mapping.dmp	netwire
behavioral1/memory/1632-14-0x000000000040188B-mapping.dmp	netwire
behavioral1/memory/1632-15-0x000000000040188B-mapping.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

TNT TRACKING DETAILS.exe

description pid process target process

PID 528 set thread context of 1632 528 TNT TRACKING DETAILS.exe TNT TRACKING DETAILS.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1260 1632 WerFault.exe TNT TRACKING DETAILS.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1868 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1260 WerFault.exe
1260 WerFault.exe
1260 WerFault.exe
1260 WerFault.exe
1260 WerFault.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

TNT TRACKING DETAILS.exe

pid process

528 TNT TRACKING DETAILS.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1260 WerFault.exe

description	pid	process	target process
PID 528 set thread context of 1632	528	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe

pid	pid_target	process	target process
1260	1632	WerFault.exe	TNT TRACKING DETAILS.exe

pid	process
1868	schtasks.exe

pid	process
1260	WerFault.exe
1260	WerFault.exe
1260	WerFault.exe
1260	WerFault.exe
1260	WerFault.exe

pid	process
528	TNT TRACKING DETAILS.exe

description	pid	process
Token: SeDebugPrivilege	1260	WerFault.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

TNT TRACKING DETAILS.execmd.exeTNT TRACKING DETAILS.exe

description	pid	process	target process
PID 528 wrote to memory of 644	528	TNT TRACKING DETAILS.exe	cmd.exe
PID 528 wrote to memory of 644	528	TNT TRACKING DETAILS.exe	cmd.exe
PID 528 wrote to memory of 644	528	TNT TRACKING DETAILS.exe	cmd.exe
PID 528 wrote to memory of 644	528	TNT TRACKING DETAILS.exe	cmd.exe
PID 528 wrote to memory of 1632	528	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 528 wrote to memory of 1632	528	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 528 wrote to memory of 1632	528	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 528 wrote to memory of 1632	528	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 528 wrote to memory of 1632	528	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 644 wrote to memory of 1868	644	cmd.exe	schtasks.exe
PID 644 wrote to memory of 1868	644	cmd.exe	schtasks.exe
PID 644 wrote to memory of 1868	644	cmd.exe	schtasks.exe
PID 644 wrote to memory of 1868	644	cmd.exe	schtasks.exe
PID 1632 wrote to memory of 1260	1632	TNT TRACKING DETAILS.exe	WerFault.exe
PID 1632 wrote to memory of 1260	1632	TNT TRACKING DETAILS.exe	WerFault.exe
PID 1632 wrote to memory of 1260	1632	TNT TRACKING DETAILS.exe	WerFault.exe
PID 1632 wrote to memory of 1260	1632	TNT TRACKING DETAILS.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN files /XML "C:\Users\Admin\AppData\Local\Temp\c1a133fccadb406da6f53c1c76d4b61d.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN files /XML "C:\Users\Admin\AppData\Local\Temp\c1a133fccadb406da6f53c1c76d4b61d.xml"
3⤵
- Creates scheduled task(s)
PID:1868

C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 524
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c1a133fccadb406da6f53c1c76d4b61d.xml
MD5
0774d3d06701d1bbff91a49fc14ae608

SHA1
451cee9a5cffa67d88fe56beadc6a29764214144

SHA256
d714d6a5c6b1015d97c6c0c798c20e473ba271804df94aa4b234ff0310e35be4

SHA512
6af8a52e511e1f66364088c0eb4c56bb467e93992a710e6479f86fea59d2c94131f021145d90cf1f0911364f99d537532250acbf2abe2d18891c3e9fc2120b0d

Download Submit
memory/644-2-0x0000000000000000-mapping.dmp

Download
memory/1260-11-0x00000000021C0000-0x00000000021D1000-memory.dmp

Filesize
68KB

Download
memory/1260-10-0x0000000000000000-mapping.dmp

Download
memory/1632-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1632-8-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download
memory/1632-9-0x00000000002E0000-0x0000000000309000-memory.dmp

Filesize
164KB

Download
memory/1632-4-0x000000000040188B-mapping.dmp

Download
memory/1632-3-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1632-13-0x000000000040188B-mapping.dmp

Download
memory/1632-12-0x000000000040188B-mapping.dmp

Download
memory/1632-14-0x000000000040188B-mapping.dmp

Download
memory/1632-15-0x000000000040188B-mapping.dmp

Download
memory/1868-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads