netwire | c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c

General

Target

FedEx TRACKING DETAILS.exe
Size

275KB
MD5

07c71b43ca45df4d5fb8b4a8cb90a3c1
SHA1

cf69d346d7d95e1387d64c4025af617272d4dc38
SHA256

c6e42b6b5328ea35302559a7cb8b3849e3b9a646648a9be0a505ae8c2aa5490c
SHA512

9ad849b93b5413f05ba2ad7c781d862497d3b35395fcdcc0454264c93d547d39d75cf0c4367fe100b8d05a0d59fd0606adfe9c45a4ff60ab5241045a52bc3194

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3772-3-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3772-4-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/3772-6-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

FedEx TRACKING DETAILS.exe

description pid process target process

PID 508 set thread context of 3772 508 FedEx TRACKING DETAILS.exe FedEx TRACKING DETAILS.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2816 schtasks.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

FedEx TRACKING DETAILS.exe

pid process

508 FedEx TRACKING DETAILS.exe

description	pid	process	target process
PID 508 set thread context of 3772	508	FedEx TRACKING DETAILS.exe	FedEx TRACKING DETAILS.exe

pid	process
2816	schtasks.exe

pid	process
508	FedEx TRACKING DETAILS.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

FedEx TRACKING DETAILS.execmd.exe

description	pid	process	target process
PID 508 wrote to memory of 1816	508	FedEx TRACKING DETAILS.exe	cmd.exe
PID 508 wrote to memory of 1816	508	FedEx TRACKING DETAILS.exe	cmd.exe
PID 508 wrote to memory of 1816	508	FedEx TRACKING DETAILS.exe	cmd.exe
PID 508 wrote to memory of 3772	508	FedEx TRACKING DETAILS.exe	FedEx TRACKING DETAILS.exe
PID 508 wrote to memory of 3772	508	FedEx TRACKING DETAILS.exe	FedEx TRACKING DETAILS.exe
PID 508 wrote to memory of 3772	508	FedEx TRACKING DETAILS.exe	FedEx TRACKING DETAILS.exe
PID 508 wrote to memory of 3772	508	FedEx TRACKING DETAILS.exe	FedEx TRACKING DETAILS.exe
PID 1816 wrote to memory of 2816	1816	cmd.exe	schtasks.exe
PID 1816 wrote to memory of 2816	1816	cmd.exe	schtasks.exe
PID 1816 wrote to memory of 2816	1816	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN fiftservices /XML "C:\Users\Admin\AppData\Local\Temp\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN fiftservices /XML "C:\Users\Admin\AppData\Local\Temp\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xml"
3⤵
- Creates scheduled task(s)
PID:2816

C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx TRACKING DETAILS.exe"
2⤵
PID:3772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fd8e6f66c0d24ce7a8a81a9d06ef14b2.xml
MD5
5e2e669c68adab74edec35b732b38f35

SHA1
72e82eaf2a23f0c2cd20c193a27e83302abeca32

SHA256
695f8f7af0a3cb80db105481c38ae7e19f66f010ca75b756a4eb6dfbd2a165a8

SHA512
a5d57266600688282d0d7fd446bdb73f7618814e4c6e137609e2a0617d94057a359e06c534e48ace02c6d69849fb45a267a53c4326bbf3614cad8c9cb64adc33

Download Submit
memory/1816-2-0x0000000000000000-mapping.dmp

Download
memory/2816-7-0x0000000000000000-mapping.dmp

Download
memory/3772-3-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3772-4-0x000000000040242D-mapping.dmp

Download
memory/3772-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads