netwire | d072441e276c608471a851b369726d633a66ad702663cf2868d15edfe79c5e64

Analysis

max time kernel
14s
max time network
123s
platform
windows10_x64
resource
win10v20210410
submitted
06-05-2021 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe
Size

1.8MB
MD5

7a5a9f55643adf965ea93bd197353248
SHA1

fd70e0ec9fca053c34dc08640477ff516d2d5725
SHA256

d072441e276c608471a851b369726d633a66ad702663cf2868d15edfe79c5e64
SHA512

ae0b36de0935c25aa22cd1273f550794b5e3341777e71d87ec6f74c061fcb66111875fc528a03263dcc6e8024b537dc158cedf849755c72d8c5cf9a9ed779c7d

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

23.105.131.210:1955

Attributes

activex_autorun
false
activex_key
copy_executable
true
delete_original
false
host_id
tdce
install_path
%AppData%\tdce\tdce.exe
keylogger_dir
%AppData%\tdce\
lock_executable
true
mutex
uUTFuXPN
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
tdce
use_mutex
true

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4436-117-0x00000000020E0000-0x000000000210C000-memory.dmp	netwire
behavioral2/memory/4436-118-0x0000000002110000-0x0000000002146000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1476 created 4436 1476 WerFault.exe SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1476 4436 WerFault.exe SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe

description	pid	process	target process
PID 1476 created 4436	1476	WerFault.exe	SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe

pid	pid_target	process	target process
1476	4436	WerFault.exe	SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe
1476	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1476 WerFault.exe
Token: SeBackupPrivilege 1476 WerFault.exe
Token: SeDebugPrivilege 1476 WerFault.exe

description	pid	process
Token: SeRestorePrivilege	1476	WerFault.exe
Token: SeBackupPrivilege	1476	WerFault.exe
Token: SeDebugPrivilege	1476	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.36853296.10653.5222.exe"
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 528
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4436-114-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/4436-117-0x00000000020E0000-0x000000000210C000-memory.dmp

Filesize
176KB

Download
memory/4436-118-0x0000000002110000-0x0000000002146000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads