netwire | cef2f777b4c29a5ced187382e3c0a0ee61d4c71471fc5d100b78a4e88f4324de

General

Target

FedEx Shipment.exe
Size

738KB
MD5

20e5be824638df2b4f86520d5a5a0cad
SHA1

5e3a464ce7ebaf297438e52dd6c9eaf374217eed
SHA256

cef2f777b4c29a5ced187382e3c0a0ee61d4c71471fc5d100b78a4e88f4324de
SHA512

238b8f441a6d5c17c407ff254928bb17ef7ed06143a23187842f9ab3012263913055672ea67c32351f2be9d2b2fa6f7e0a2a7af2260514870418dcf19fc11a11

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1932-6-0x000000001B170000-0x000000001B1EE000-memory.dmp	netwire
behavioral1/memory/1932-9-0x00000000021D0000-0x00000000021F9000-memory.dmp	netwire
behavioral1/memory/1724-10-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1724-12-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1724-14-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FedEx Shipment.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\cwd.exe = "C:\\Users\\Admin\\AppData\\Roaming\\cwds\\cwd.exe"	FedEx Shipment.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

FedEx Shipment.exe

description pid process target process

PID 1932 set thread context of 1724 1932 FedEx Shipment.exe explorer.exe

description	pid	process	target process
PID 1932 set thread context of 1724	1932	FedEx Shipment.exe	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

FedEx Shipment.exe

description	pid	process	target process
PID 1932 wrote to memory of 1724	1932	FedEx Shipment.exe	explorer.exe
PID 1932 wrote to memory of 1724	1932	FedEx Shipment.exe	explorer.exe
PID 1932 wrote to memory of 1724	1932	FedEx Shipment.exe	explorer.exe
PID 1932 wrote to memory of 1724	1932	FedEx Shipment.exe	explorer.exe
PID 1932 wrote to memory of 1724	1932	FedEx Shipment.exe	explorer.exe
PID 1932 wrote to memory of 1724	1932	FedEx Shipment.exe	explorer.exe
PID 1932 wrote to memory of 1724	1932	FedEx Shipment.exe	explorer.exe
PID 1932 wrote to memory of 1724	1932	FedEx Shipment.exe	explorer.exe
PID 1932 wrote to memory of 1724	1932	FedEx Shipment.exe	explorer.exe
PID 1932 wrote to memory of 1724	1932	FedEx Shipment.exe	explorer.exe
PID 1932 wrote to memory of 1724	1932	FedEx Shipment.exe	explorer.exe
PID 1932 wrote to memory of 1724	1932	FedEx Shipment.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\FedEx Shipment.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx Shipment.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-12-0x000000000040242D-mapping.dmp

Download
memory/1724-13-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1724-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-2-0x000007FEF5330000-0x000007FEF5D1C000-memory.dmp

Filesize
9.9MB

Download
memory/1932-3-0x000000013FC60000-0x000000013FC61000-memory.dmp

Filesize
4KB

Download
memory/1932-5-0x0000000002150000-0x00000000021CE000-memory.dmp

Filesize
504KB

Download
memory/1932-6-0x000000001B170000-0x000000001B1EE000-memory.dmp

Filesize
504KB

Download
memory/1932-7-0x0000000000860000-0x0000000000872000-memory.dmp

Filesize
72KB

Download
memory/1932-8-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1932-9-0x00000000021D0000-0x00000000021F9000-memory.dmp

Filesize
164KB

Download
memory/1932-11-0x000000001B980000-0x000000001B982000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads