netwire | 3a3dbc80d8002dc960b26be2f29557d71106db8d425a69847b4659e605179847

General

Target

Proof of Payment.exe
Size

1.3MB
MD5

bcc3ba9b072abd4810d8e49e7f48b54a
SHA1

98d682d7dab028ef9f0f033670020b9ef44e345b
SHA256

3a3dbc80d8002dc960b26be2f29557d71106db8d425a69847b4659e605179847
SHA512

8f191615bdea2637c3c3e4b856245aa71cb9b765ba4550426bb141a7d49def1f5274fa359cec6db972e66dd977eae3e2fff39c6fb87711668164e3e06fbd291b

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1196-15-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1196-16-0x0000000000402BCB-mapping.dmp	netwire
behavioral2/memory/1196-17-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

Proof of Payment.exe

description pid process target process

PID 1108 set thread context of 1196 1108 Proof of Payment.exe Proof of Payment.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3520 schtasks.exe

description	pid	process	target process
PID 1108 set thread context of 1196	1108	Proof of Payment.exe	Proof of Payment.exe

pid	process
3520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Proof of Payment.exe

pid	process
1108	Proof of Payment.exe
1108	Proof of Payment.exe
1108	Proof of Payment.exe
1108	Proof of Payment.exe
1108	Proof of Payment.exe
1108	Proof of Payment.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Proof of Payment.exe

description pid process

Token: SeDebugPrivilege 1108 Proof of Payment.exe

description	pid	process
Token: SeDebugPrivilege	1108	Proof of Payment.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Proof of Payment.exe

description	pid	process	target process
PID 1108 wrote to memory of 3520	1108	Proof of Payment.exe	schtasks.exe
PID 1108 wrote to memory of 3520	1108	Proof of Payment.exe	schtasks.exe
PID 1108 wrote to memory of 3520	1108	Proof of Payment.exe	schtasks.exe
PID 1108 wrote to memory of 640	1108	Proof of Payment.exe	Proof of Payment.exe
PID 1108 wrote to memory of 640	1108	Proof of Payment.exe	Proof of Payment.exe
PID 1108 wrote to memory of 640	1108	Proof of Payment.exe	Proof of Payment.exe
PID 1108 wrote to memory of 1196	1108	Proof of Payment.exe	Proof of Payment.exe
PID 1108 wrote to memory of 1196	1108	Proof of Payment.exe	Proof of Payment.exe
PID 1108 wrote to memory of 1196	1108	Proof of Payment.exe	Proof of Payment.exe
PID 1108 wrote to memory of 1196	1108	Proof of Payment.exe	Proof of Payment.exe
PID 1108 wrote to memory of 1196	1108	Proof of Payment.exe	Proof of Payment.exe
PID 1108 wrote to memory of 1196	1108	Proof of Payment.exe	Proof of Payment.exe
PID 1108 wrote to memory of 1196	1108	Proof of Payment.exe	Proof of Payment.exe
PID 1108 wrote to memory of 1196	1108	Proof of Payment.exe	Proof of Payment.exe
PID 1108 wrote to memory of 1196	1108	Proof of Payment.exe	Proof of Payment.exe
PID 1108 wrote to memory of 1196	1108	Proof of Payment.exe	Proof of Payment.exe

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vUZhQosdC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE053.tmp"
2⤵
- Creates scheduled task(s)
PID:3520

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"{path}"
2⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"{path}"
2⤵
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE053.tmp
MD5
f62b8072dd1b08f23009445477cadb84

SHA1
0388b17f3b39019f38a12e1563aba4cbc0b3c324

SHA256
9f60b41c0084b9eab2bfff7f028a8b7a3b9e3578e27147e1f5de96dbb66bb158

SHA512
969c60a291af4a4a27825b79b97e96631174a55d62be05d432cfa23833081f8e9870981973ec28777c3be6bad72cd44fa90bb6bc0612d7dd33f0efcf4021fde4

Download Submit
memory/1108-9-0x0000000005C20000-0x0000000005C2E000-memory.dmp

Filesize
56KB

Download
memory/1108-11-0x0000000008BA0000-0x0000000008BEF000-memory.dmp

Filesize
316KB

Download
memory/1108-6-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/1108-7-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/1108-8-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/1108-2-0x0000000073290000-0x000000007397E000-memory.dmp

Filesize
6.9MB

Download
memory/1108-10-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1108-5-0x00000000055A0000-0x0000000005605000-memory.dmp

Filesize
404KB

Download
memory/1108-12-0x0000000008C90000-0x0000000008C91000-memory.dmp

Filesize
4KB

Download
memory/1108-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1196-15-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1196-16-0x0000000000402BCB-mapping.dmp

Download
memory/1196-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3520-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads