Malware Analysis Report

2025-08-10 22:20

Sample ID 220217-ajs4raegd6
Target 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a
SHA256 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a
Tags
rat netwire botnet stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a

Threat Level: Known bad

The file 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a was found to be: Known bad.

Malicious Activity Summary

rat netwire botnet stealer

NetWire RAT payload

Netwire family

Netwire

Executes dropped EXE

Loads dropped DLL

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-17 00:14

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-17 00:14

Reported

2022-02-17 00:23

Platform

win7-en-20211208

Max time kernel

122s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe

"C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe"

C:\Users\Admin\AppData\Roaming\Install\Host.exe

"C:\Users\Admin\AppData\Roaming\Install\Host.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sgteyor.ddns.net udp

Files

memory/1568-55-0x0000000076371000-0x0000000076373000-memory.dmp

\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 0b1bb3e49dbdc7ebfe81d4d3982275d2
SHA1 958f45ab00ac2212c748461ea7860b12e7c8e35e
SHA256 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a
SHA512 15ad15a353c379934a75ad56c8955b9ca4b7aa43de4559768c819f486e5df2448dfe3c8479ff799da58bace88abeca45c4fac28ca8ac41f267fdd83ea6cebb04

\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 0b1bb3e49dbdc7ebfe81d4d3982275d2
SHA1 958f45ab00ac2212c748461ea7860b12e7c8e35e
SHA256 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a
SHA512 15ad15a353c379934a75ad56c8955b9ca4b7aa43de4559768c819f486e5df2448dfe3c8479ff799da58bace88abeca45c4fac28ca8ac41f267fdd83ea6cebb04

C:\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 0b1bb3e49dbdc7ebfe81d4d3982275d2
SHA1 958f45ab00ac2212c748461ea7860b12e7c8e35e
SHA256 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a
SHA512 15ad15a353c379934a75ad56c8955b9ca4b7aa43de4559768c819f486e5df2448dfe3c8479ff799da58bace88abeca45c4fac28ca8ac41f267fdd83ea6cebb04

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-17 00:14

Reported

2022-02-17 00:23

Platform

win10v2004-en-20220112

Max time kernel

159s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Install\Host.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe

"C:\Users\Admin\AppData\Local\Temp\7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a.exe"

C:\Users\Admin\AppData\Roaming\Install\Host.exe

"C:\Users\Admin\AppData\Roaming\Install\Host.exe"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k wusvcs -p

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 20.42.65.85:443 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
BE 8.238.110.126:80 tcp
BE 67.27.154.126:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 sgteyor.ddns.net udp
US 72.21.91.29:80 crl4.digicert.com tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 sgteyor.ddns.net udp

Files

C:\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 0b1bb3e49dbdc7ebfe81d4d3982275d2
SHA1 958f45ab00ac2212c748461ea7860b12e7c8e35e
SHA256 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a
SHA512 15ad15a353c379934a75ad56c8955b9ca4b7aa43de4559768c819f486e5df2448dfe3c8479ff799da58bace88abeca45c4fac28ca8ac41f267fdd83ea6cebb04

C:\Users\Admin\AppData\Roaming\Install\Host.exe

MD5 0b1bb3e49dbdc7ebfe81d4d3982275d2
SHA1 958f45ab00ac2212c748461ea7860b12e7c8e35e
SHA256 7e2bdb47ac86e3ea25c23496ed4046aa4108ccf647250e9d9dd8e4fb83aaea4a
SHA512 15ad15a353c379934a75ad56c8955b9ca4b7aa43de4559768c819f486e5df2448dfe3c8479ff799da58bace88abeca45c4fac28ca8ac41f267fdd83ea6cebb04