netwire | ee564dc0c72681dd264376c496603592961ed0025f607f5b5b0a9f025fa521bc

General

Target

Proof of Payment.exe
Size

669KB
MD5

4ec018f96f78c1bb6425f5e1bb71f6da
SHA1

5190f3d25beaebda68285ed0dae5241fcd1b2162
SHA256

ee564dc0c72681dd264376c496603592961ed0025f607f5b5b0a9f025fa521bc
SHA512

d7565e7928794486a4f4e30726030bab108e2d3b99ddc30171802f1f8dc820957850fcd610ae5e8468d24374d2efd9b5bf8040fd8ab6e9cd9bd049cd6cf2b5c9

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/492-13-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/492-14-0x0000000000402BCB-mapping.dmp	netwire
behavioral2/memory/492-15-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

Proof of Payment.exe

description pid process target process

PID 576 set thread context of 492 576 Proof of Payment.exe Proof of Payment.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

184 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Proof of Payment.exe

pid process

576 Proof of Payment.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Proof of Payment.exe

description pid process

Token: SeDebugPrivilege 576 Proof of Payment.exe

description	pid	process	target process
PID 576 set thread context of 492	576	Proof of Payment.exe	Proof of Payment.exe

pid	process
184	schtasks.exe

pid	process
576	Proof of Payment.exe

description	pid	process
Token: SeDebugPrivilege	576	Proof of Payment.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Proof of Payment.exe

description	pid	process	target process
PID 576 wrote to memory of 184	576	Proof of Payment.exe	schtasks.exe
PID 576 wrote to memory of 184	576	Proof of Payment.exe	schtasks.exe
PID 576 wrote to memory of 184	576	Proof of Payment.exe	schtasks.exe
PID 576 wrote to memory of 492	576	Proof of Payment.exe	Proof of Payment.exe
PID 576 wrote to memory of 492	576	Proof of Payment.exe	Proof of Payment.exe
PID 576 wrote to memory of 492	576	Proof of Payment.exe	Proof of Payment.exe
PID 576 wrote to memory of 492	576	Proof of Payment.exe	Proof of Payment.exe
PID 576 wrote to memory of 492	576	Proof of Payment.exe	Proof of Payment.exe
PID 576 wrote to memory of 492	576	Proof of Payment.exe	Proof of Payment.exe
PID 576 wrote to memory of 492	576	Proof of Payment.exe	Proof of Payment.exe
PID 576 wrote to memory of 492	576	Proof of Payment.exe	Proof of Payment.exe
PID 576 wrote to memory of 492	576	Proof of Payment.exe	Proof of Payment.exe
PID 576 wrote to memory of 492	576	Proof of Payment.exe	Proof of Payment.exe

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EkuxZKGBKwV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB11.tmp"
2⤵
- Creates scheduled task(s)
PID:184

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"{path}"
2⤵
PID:492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEB11.tmp
MD5
a7f934e06c9580441940caa548d92306

SHA1
cd9a224931dfa551145e89e876fec1ea14eacbdb

SHA256
3077c4c78179b23cdc4b99826fb2e2b2c49ee834ab755354da8acb131e05fe87

SHA512
dcb14061220542cf77a57967735d7c0b86c61667ab25e50c42575657eb9c5c8ba1aeabd7b11a07fc393ffd55aa27c7bfecf866c81276efea4fd945e4996082b7

Download Submit
memory/184-11-0x0000000000000000-mapping.dmp

Download
memory/492-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/492-14-0x0000000000402BCB-mapping.dmp

Download
memory/492-13-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/576-6-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/576-9-0x0000000007120000-0x0000000007196000-memory.dmp

Filesize
472KB

Download
memory/576-10-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/576-8-0x0000000004DD0000-0x0000000004DDE000-memory.dmp

Filesize
56KB

Download
memory/576-7-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/576-2-0x0000000073560000-0x0000000073C4E000-memory.dmp

Filesize
6.9MB

Download
memory/576-5-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/576-3-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads