netwire | 691f3e4b532cb3802630762dadc0eb5f894a6b5463ab5723ef67379ef3f9d31f

General

Target

Begantoda[1].exe
Size

586KB
MD5

b4ff2825679835badd44aaa15256638c
SHA1

f67f7fac7368250b8df4d0a9b05408f775fe5f9c
SHA256

691f3e4b532cb3802630762dadc0eb5f894a6b5463ab5723ef67379ef3f9d31f
SHA512

33339d4ca2687a802ae61679bba672f926020fb319794e84bbdc84c3e68c744b8e241784f2ae5daa08ac78f58ca570539cd1ba446ec3ee4315c032937369db5a

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1540-14-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1540-15-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1540-22-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

Begantoda[1].exe

description pid process target process

PID 1684 set thread context of 1540 1684 Begantoda[1].exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pOwERsHeLl.exe

pid process

1008 pOwERsHeLl.exe
1008 pOwERsHeLl.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

pOwERsHeLl.exe

description pid process

Token: SeDebugPrivilege 1008 pOwERsHeLl.exe

description	pid	process	target process
PID 1684 set thread context of 1540	1684	Begantoda[1].exe	RegAsm.exe

pid	process
1008	pOwERsHeLl.exe
1008	pOwERsHeLl.exe

description	pid	process
Token: SeDebugPrivilege	1008	pOwERsHeLl.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Begantoda[1].exe

description	pid	process	target process
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1540	1684	Begantoda[1].exe	RegAsm.exe
PID 1684 wrote to memory of 1008	1684	Begantoda[1].exe	pOwERsHeLl.exe
PID 1684 wrote to memory of 1008	1684	Begantoda[1].exe	pOwERsHeLl.exe
PID 1684 wrote to memory of 1008	1684	Begantoda[1].exe	pOwERsHeLl.exe
PID 1684 wrote to memory of 1008	1684	Begantoda[1].exe	pOwERsHeLl.exe

C:\Users\Admin\AppData\Local\Temp\Begantoda[1].exe
"C:\Users\Admin\AppData\Local\Temp\Begantoda[1].exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOwERsHeLl.exe
"pOwERsHeLl.exe" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Begantoda[1].exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Trevorrendo.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-25-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/1008-23-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1008-42-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/1008-34-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1008-29-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/1008-26-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1008-24-0x00000000023E2000-0x00000000023E3000-memory.dmp

Filesize
4KB

Download
memory/1008-16-0x0000000000000000-mapping.dmp

Download
memory/1008-21-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/1008-20-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1008-19-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/1008-35-0x0000000006210000-0x0000000006211000-memory.dmp

Filesize
4KB

Download
memory/1008-43-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1540-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-15-0x000000000040242D-mapping.dmp

Download
memory/1540-17-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/1684-10-0x00000000012A9000-0x00000000012AA000-memory.dmp

Filesize
4KB

Download
memory/1684-12-0x00000000012AB000-0x00000000012AC000-memory.dmp

Filesize
4KB

Download
memory/1684-3-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/1684-11-0x00000000012AA000-0x00000000012AB000-memory.dmp

Filesize
4KB

Download
memory/1684-2-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-8-0x00000000012A7000-0x00000000012A8000-memory.dmp

Filesize
4KB

Download
memory/1684-7-0x00000000012A6000-0x00000000012A7000-memory.dmp

Filesize
4KB

Download
memory/1684-6-0x0000000001295000-0x00000000012A6000-memory.dmp

Filesize
68KB

Download
memory/1684-9-0x00000000012A8000-0x00000000012A9000-memory.dmp

Filesize
4KB

Download
memory/1684-5-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/1684-13-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads