netwire | fefea87ebfbd43c789033d46905fd2a11b8ea9d4c6b57691f23a89e8f8687992

General

Target

TNT TRACKING DETAILS.exe
Size

229KB
MD5

740a1985261bb2bd22b6dc7ffbdefc9d
SHA1

b2b9b3a35a01df3db2a1eaee3b4feb96647d3a5c
SHA256

fefea87ebfbd43c789033d46905fd2a11b8ea9d4c6b57691f23a89e8f8687992
SHA512

af71a44e0507c6a50ebdde2689f091a7ae226116d87978900cb00ff37bb8e98943391711f7b1829746e9e3d37fff17fdcf40f8fad785da0d3db8fc199ab5d174

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3208-6-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3208-7-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/3208-9-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

TNT TRACKING DETAILS.exe

description pid process target process

PID 3676 set thread context of 3208 3676 TNT TRACKING DETAILS.exe TNT TRACKING DETAILS.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3112 schtasks.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

TNT TRACKING DETAILS.exeTNT TRACKING DETAILS.exe

pid process

540 TNT TRACKING DETAILS.exe
3676 TNT TRACKING DETAILS.exe

description	pid	process	target process
PID 3676 set thread context of 3208	3676	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe

pid	process
3112	schtasks.exe

pid	process
540	TNT TRACKING DETAILS.exe
3676	TNT TRACKING DETAILS.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

TNT TRACKING DETAILS.execmd.exeTNT TRACKING DETAILS.exe

description	pid	process	target process
PID 540 wrote to memory of 2668	540	TNT TRACKING DETAILS.exe	cmd.exe
PID 540 wrote to memory of 2668	540	TNT TRACKING DETAILS.exe	cmd.exe
PID 540 wrote to memory of 2668	540	TNT TRACKING DETAILS.exe	cmd.exe
PID 540 wrote to memory of 2696	540	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 540 wrote to memory of 2696	540	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 540 wrote to memory of 2696	540	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 540 wrote to memory of 3676	540	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 540 wrote to memory of 3676	540	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 540 wrote to memory of 3676	540	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 2668 wrote to memory of 3112	2668	cmd.exe	schtasks.exe
PID 2668 wrote to memory of 3112	2668	cmd.exe	schtasks.exe
PID 2668 wrote to memory of 3112	2668	cmd.exe	schtasks.exe
PID 3676 wrote to memory of 3208	3676	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 3676 wrote to memory of 3208	3676	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 3676 wrote to memory of 3208	3676	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe
PID 3676 wrote to memory of 3208	3676	TNT TRACKING DETAILS.exe	TNT TRACKING DETAILS.exe

C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN foftservices /XML "C:\Users\Admin\AppData\Local\Temp\c320787f426b499da21dec2a995e328c.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN foftservices /XML "C:\Users\Admin\AppData\Local\Temp\c320787f426b499da21dec2a995e328c.xml"
3⤵
- Creates scheduled task(s)
PID:3112

C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe"
2⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\TNT TRACKING DETAILS.exe"
3⤵
PID:3208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c320787f426b499da21dec2a995e328c.xml
MD5
0bf418cf82a2966080feb0e226c39846

SHA1
110a821c1c25bc108e45428a764e83fcc37fe896

SHA256
d5daea520d13bb9cdd3ae6cbcea86524e601f506003f1f6e519c3486b7c7ae35

SHA512
25a64e8e72fce625c640faae8dc255e84b1247d987da7c588ad3bc4097f4aeaa4de98f1cbada87e1bed2f9fbb35ca8f61e94c619f144416aa97c55fd9d788afd

Download Submit
memory/2668-2-0x0000000000000000-mapping.dmp

Download
memory/3112-4-0x0000000000000000-mapping.dmp

Download
memory/3208-6-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-7-0x000000000040242D-mapping.dmp

Download
memory/3208-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads