netwire | 7915d92e56a86feb90323274532ccfefef357210f840b5dac3999399e7255193

General

Target

SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe
Size

731KB
MD5

6b33065b314dbb152d798237de373550
SHA1

4c654b9f7b2298d213048f6523f7dbd21c1cc64b
SHA256

7915d92e56a86feb90323274532ccfefef357210f840b5dac3999399e7255193
SHA512

b51d5e2644dc7a0cb0cfdf0fb2a98c5ad5c604366d584ded312f9d2cad18465d9d77ed4f8df8444ccdc79a6bce84a6b89de48531a1b9de15a46c71ee712ba457

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/60-19-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/60-20-0x000000000040242D-mapping.dmp	netwire
behavioral2/memory/60-25-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 2 IoCs

Processes:

pOwERsHeLl.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bastardok.exe	pOwERsHeLl.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bastardok.exe	pOwERsHeLl.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe

description pid process target process

PID 3888 set thread context of 60 3888 SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

pOwERsHeLl.exe

pid process

2484 pOwERsHeLl.exe
2484 pOwERsHeLl.exe
2484 pOwERsHeLl.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

pOwERsHeLl.exe

description pid process

Token: SeDebugPrivilege 2484 pOwERsHeLl.exe

description	pid	process	target process
PID 3888 set thread context of 60	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	RegAsm.exe

pid	process
2484	pOwERsHeLl.exe
2484	pOwERsHeLl.exe
2484	pOwERsHeLl.exe

description	pid	process
Token: SeDebugPrivilege	2484	pOwERsHeLl.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe

description	pid	process	target process
PID 3888 wrote to memory of 60	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	RegAsm.exe
PID 3888 wrote to memory of 60	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	RegAsm.exe
PID 3888 wrote to memory of 60	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	RegAsm.exe
PID 3888 wrote to memory of 60	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	RegAsm.exe
PID 3888 wrote to memory of 60	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	RegAsm.exe
PID 3888 wrote to memory of 60	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	RegAsm.exe
PID 3888 wrote to memory of 60	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	RegAsm.exe
PID 3888 wrote to memory of 60	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	RegAsm.exe
PID 3888 wrote to memory of 60	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	RegAsm.exe
PID 3888 wrote to memory of 60	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	RegAsm.exe
PID 3888 wrote to memory of 60	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	RegAsm.exe
PID 3888 wrote to memory of 2484	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	pOwERsHeLl.exe
PID 3888 wrote to memory of 2484	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	pOwERsHeLl.exe
PID 3888 wrote to memory of 2484	3888	SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe	pOwERsHeLl.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:60

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pOwERsHeLl.exe
"pOwERsHeLl.exe" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Save.a.30596.12305.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bastardok.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-20-0x000000000040242D-mapping.dmp

Download
memory/2484-27-0x00000000044A2000-0x00000000044A3000-memory.dmp

Filesize
4KB

Download
memory/2484-28-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/2484-36-0x0000000008BD0000-0x0000000008BD1000-memory.dmp

Filesize
4KB

Download
memory/2484-21-0x0000000000000000-mapping.dmp

Download
memory/2484-34-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/2484-33-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/2484-22-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-32-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/2484-31-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/2484-30-0x0000000007790000-0x0000000007791000-memory.dmp

Filesize
4KB

Download
memory/2484-29-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/2484-26-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/2484-24-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/2484-23-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/2484-39-0x00000000044A3000-0x00000000044A4000-memory.dmp

Filesize
4KB

Download
memory/2484-35-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/3888-3-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/3888-13-0x0000000005165000-0x0000000005166000-memory.dmp

Filesize
4KB

Download
memory/3888-18-0x0000000006D80000-0x0000000006D8C000-memory.dmp

Filesize
48KB

Download
memory/3888-17-0x0000000005169000-0x000000000516F000-memory.dmp

Filesize
24KB

Download
memory/3888-12-0x0000000005163000-0x0000000005165000-memory.dmp

Filesize
8KB

Download
memory/3888-2-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3888-16-0x0000000005168000-0x0000000005169000-memory.dmp

Filesize
4KB

Download
memory/3888-6-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/3888-15-0x0000000005167000-0x0000000005168000-memory.dmp

Filesize
4KB

Download
memory/3888-7-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/3888-14-0x0000000005166000-0x0000000005167000-memory.dmp

Filesize
4KB

Download
memory/3888-11-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/3888-10-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/3888-9-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3888-8-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/3888-5-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads