netwire | 3a3dbc80d8002dc960b26be2f29557d71106db8d425a69847b4659e605179847

General

Target

Proof of Payment.exe
Size

1.3MB
MD5

bcc3ba9b072abd4810d8e49e7f48b54a
SHA1

98d682d7dab028ef9f0f033670020b9ef44e345b
SHA256

3a3dbc80d8002dc960b26be2f29557d71106db8d425a69847b4659e605179847
SHA512

8f191615bdea2637c3c3e4b856245aa71cb9b765ba4550426bb141a7d49def1f5274fa359cec6db972e66dd977eae3e2fff39c6fb87711668164e3e06fbd291b

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1592-11-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1592-12-0x0000000000402BCB-mapping.dmp	netwire
behavioral1/memory/1592-14-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

Proof of Payment.exe

description pid process target process

PID 308 set thread context of 1592 308 Proof of Payment.exe Proof of Payment.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1136 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Proof of Payment.exe

pid process

308 Proof of Payment.exe
308 Proof of Payment.exe
308 Proof of Payment.exe
308 Proof of Payment.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Proof of Payment.exe

description pid process

Token: SeDebugPrivilege 308 Proof of Payment.exe

description	pid	process	target process
PID 308 set thread context of 1592	308	Proof of Payment.exe	Proof of Payment.exe

pid	process
1136	schtasks.exe

pid	process
308	Proof of Payment.exe
308	Proof of Payment.exe
308	Proof of Payment.exe
308	Proof of Payment.exe

description	pid	process
Token: SeDebugPrivilege	308	Proof of Payment.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Proof of Payment.exe

description	pid	process	target process
PID 308 wrote to memory of 1136	308	Proof of Payment.exe	schtasks.exe
PID 308 wrote to memory of 1136	308	Proof of Payment.exe	schtasks.exe
PID 308 wrote to memory of 1136	308	Proof of Payment.exe	schtasks.exe
PID 308 wrote to memory of 1136	308	Proof of Payment.exe	schtasks.exe
PID 308 wrote to memory of 1592	308	Proof of Payment.exe	Proof of Payment.exe
PID 308 wrote to memory of 1592	308	Proof of Payment.exe	Proof of Payment.exe
PID 308 wrote to memory of 1592	308	Proof of Payment.exe	Proof of Payment.exe
PID 308 wrote to memory of 1592	308	Proof of Payment.exe	Proof of Payment.exe
PID 308 wrote to memory of 1592	308	Proof of Payment.exe	Proof of Payment.exe
PID 308 wrote to memory of 1592	308	Proof of Payment.exe	Proof of Payment.exe
PID 308 wrote to memory of 1592	308	Proof of Payment.exe	Proof of Payment.exe
PID 308 wrote to memory of 1592	308	Proof of Payment.exe	Proof of Payment.exe
PID 308 wrote to memory of 1592	308	Proof of Payment.exe	Proof of Payment.exe
PID 308 wrote to memory of 1592	308	Proof of Payment.exe	Proof of Payment.exe
PID 308 wrote to memory of 1592	308	Proof of Payment.exe	Proof of Payment.exe

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vUZhQosdC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB451.tmp"
2⤵
- Creates scheduled task(s)
PID:1136

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"{path}"
2⤵
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB451.tmp
MD5
e5670ba1e2c7c85eba6d1dc5dea86180

SHA1
f191ed6c46d683f73952e79f862ca98ad7ff378f

SHA256
88653f1f8358cc46fd49274f5835a5842f8b24539323594e1de67eee36cdcd87

SHA512
93d9f3a3ad3b9cf292a13397dce6249fcb53e75f904abdec955ecc33d27a79f5d1bd5ee0277a57fd3f877d86cf1e64c6ca155e210901fa7ba1213ad3efb3b4dc

Download Submit
memory/308-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/308-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/308-5-0x0000000004840000-0x00000000048A5000-memory.dmp

Filesize
404KB

Download
memory/308-6-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/308-7-0x00000000003E0000-0x00000000003EE000-memory.dmp

Filesize
56KB

Download
memory/308-8-0x00000000048B0000-0x00000000048FF000-memory.dmp

Filesize
316KB

Download
memory/1136-9-0x0000000000000000-mapping.dmp

Download
memory/1592-11-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1592-12-0x0000000000402BCB-mapping.dmp

Download
memory/1592-13-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1592-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads