netwire | c8dd40f09de4d85fa155fab0b763b1cba2d8381617eee03932d0edd221c33fef

General

Target

Proof Of Payment.exe
Size

1.4MB
MD5

b09c19f4d896b873476bce03ff91207f
SHA1

2d10ce9d6635ba0bc7787bc25e83f91e6c138a38
SHA256

c8dd40f09de4d85fa155fab0b763b1cba2d8381617eee03932d0edd221c33fef
SHA512

367341a093421f25f560ac9cc2d5e36932af225a72fc5ee8af9d7f1135f6f4f4d135d9bd927203979be4bcccbc3559e558190b4ecdc43d7502205131af0b15ea

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2064-15-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2064-16-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/2064-17-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

Proof Of Payment.exe

description pid process target process

PID 1056 set thread context of 2064 1056 Proof Of Payment.exe Proof Of Payment.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2532 schtasks.exe

description	pid	process	target process
PID 1056 set thread context of 2064	1056	Proof Of Payment.exe	Proof Of Payment.exe

pid	process
2532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Proof Of Payment.exe

pid	process
1056	Proof Of Payment.exe
1056	Proof Of Payment.exe
1056	Proof Of Payment.exe
1056	Proof Of Payment.exe
1056	Proof Of Payment.exe
1056	Proof Of Payment.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Proof Of Payment.exe

description pid process

Token: SeDebugPrivilege 1056 Proof Of Payment.exe

description	pid	process
Token: SeDebugPrivilege	1056	Proof Of Payment.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Proof Of Payment.exe

description	pid	process	target process
PID 1056 wrote to memory of 2532	1056	Proof Of Payment.exe	schtasks.exe
PID 1056 wrote to memory of 2532	1056	Proof Of Payment.exe	schtasks.exe
PID 1056 wrote to memory of 2532	1056	Proof Of Payment.exe	schtasks.exe
PID 1056 wrote to memory of 3528	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 3528	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 3528	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 2064	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 2064	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 2064	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 2064	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 2064	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 2064	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 2064	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 2064	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 2064	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 2064	1056	Proof Of Payment.exe	Proof Of Payment.exe
PID 1056 wrote to memory of 2064	1056	Proof Of Payment.exe	Proof Of Payment.exe

C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.exe
"C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nhNlECm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEE7C.tmp"
2⤵
- Creates scheduled task(s)
PID:2532

C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.exe
"{path}"
2⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.exe
"{path}"
2⤵
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEE7C.tmp
MD5
7ee30d8ccb8d7cd58c1439d9a56d5683

SHA1
7bb9d05123b9d2ded19ea75926cc0cc4eea55dbf

SHA256
1d6dc31c78d0df0ead8962a49f9ab4a8485240f35784efa4a5afc436162d70b3

SHA512
c82ce98b11ff774f21ff25ecb684ac4209f655fed69c9dba6e7ec2d7d32bcb16cf7f1fbdd37e806a53d64d2a9e6d13452b451d5cad754a77485fbeea6b8fc148

Download Submit
memory/1056-9-0x000000000A360000-0x000000000A361000-memory.dmp

Filesize
4KB

Download
memory/1056-11-0x0000000004EA0000-0x0000000004EF6000-memory.dmp

Filesize
344KB

Download
memory/1056-6-0x000000000A7F0000-0x000000000A7F1000-memory.dmp

Filesize
4KB

Download
memory/1056-7-0x000000000A390000-0x000000000A391000-memory.dmp

Filesize
4KB

Download
memory/1056-8-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1056-2-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/1056-10-0x0000000004BF0000-0x0000000004BFE000-memory.dmp

Filesize
56KB

Download
memory/1056-5-0x0000000006F70000-0x0000000006FE6000-memory.dmp

Filesize
472KB

Download
memory/1056-12-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/1056-3-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2064-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-16-0x000000000040242D-mapping.dmp

Download
memory/2064-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads