netwire | ee564dc0c72681dd264376c496603592961ed0025f607f5b5b0a9f025fa521bc

General

Target

Proof of Payment.exe
Size

669KB
MD5

4ec018f96f78c1bb6425f5e1bb71f6da
SHA1

5190f3d25beaebda68285ed0dae5241fcd1b2162
SHA256

ee564dc0c72681dd264376c496603592961ed0025f607f5b5b0a9f025fa521bc
SHA512

d7565e7928794486a4f4e30726030bab108e2d3b99ddc30171802f1f8dc820957850fcd610ae5e8468d24374d2efd9b5bf8040fd8ab6e9cd9bd049cd6cf2b5c9

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1112-9-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1112-10-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1112-11-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

Proof of Payment.exe

description pid process target process

PID 1120 set thread context of 1112 1120 Proof of Payment.exe Proof of Payment.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1464 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Proof of Payment.exe

description pid process

Token: SeDebugPrivilege 1120 Proof of Payment.exe

description	pid	process	target process
PID 1120 set thread context of 1112	1120	Proof of Payment.exe	Proof of Payment.exe

pid	process
1464	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1120	Proof of Payment.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Proof of Payment.exe

description	pid	process	target process
PID 1120 wrote to memory of 1464	1120	Proof of Payment.exe	schtasks.exe
PID 1120 wrote to memory of 1464	1120	Proof of Payment.exe	schtasks.exe
PID 1120 wrote to memory of 1464	1120	Proof of Payment.exe	schtasks.exe
PID 1120 wrote to memory of 1464	1120	Proof of Payment.exe	schtasks.exe
PID 1120 wrote to memory of 1112	1120	Proof of Payment.exe	Proof of Payment.exe
PID 1120 wrote to memory of 1112	1120	Proof of Payment.exe	Proof of Payment.exe
PID 1120 wrote to memory of 1112	1120	Proof of Payment.exe	Proof of Payment.exe
PID 1120 wrote to memory of 1112	1120	Proof of Payment.exe	Proof of Payment.exe
PID 1120 wrote to memory of 1112	1120	Proof of Payment.exe	Proof of Payment.exe
PID 1120 wrote to memory of 1112	1120	Proof of Payment.exe	Proof of Payment.exe
PID 1120 wrote to memory of 1112	1120	Proof of Payment.exe	Proof of Payment.exe
PID 1120 wrote to memory of 1112	1120	Proof of Payment.exe	Proof of Payment.exe
PID 1120 wrote to memory of 1112	1120	Proof of Payment.exe	Proof of Payment.exe
PID 1120 wrote to memory of 1112	1120	Proof of Payment.exe	Proof of Payment.exe
PID 1120 wrote to memory of 1112	1120	Proof of Payment.exe	Proof of Payment.exe

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EkuxZKGBKwV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD72D.tmp"
2⤵
- Creates scheduled task(s)
PID:1464

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"{path}"
2⤵
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD72D.tmp
MD5
1923eeb4043770c935d774095094bc33

SHA1
4deb192867a9ea7611fe658f770c8aa2fac045ff

SHA256
e3a646418dd7b71d3009d75f63fedc93ec16e1dad6cdde0a788caca2e1074559

SHA512
d6f8bed0f5d19f5ca66a49431d27a943d4da3a795afa0772e1893cdafff017c997479b68f76a01c11008a584549741f16e5aee7f5099b9ff89a48f4e9668b44a

Download Submit
memory/1112-9-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1112-10-0x0000000000402BCB-mapping.dmp

Download
memory/1112-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1120-2-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/1120-3-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1120-5-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/1120-6-0x0000000005720000-0x0000000005796000-memory.dmp

Filesize
472KB

Download
memory/1464-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads