netwire | b8d5d12dc7dd328e89b1d4acf0e6de974e8fe11c89acac4f216d64a7e10d7eab

General

Target

Bounced Cheque.exe
Size

745KB
MD5

d0e7b058e35b998134e771b24f534b07
SHA1

9711b4478564484da540866df48c117f9d96fd4f
SHA256

249e738650027df7635aa70373e2e2f936eb58e1a208fdc8df9ee2f66e4cb9e3
SHA512

7f1b2c67f375a6225754a65eba3bcaed355672553265d70e16c0da4fbbd81c27a07d728f4cfccb1458a7d75061aa8b0d562db8e0f58fb03b82fdd671534ad506

Score

10^/10

Family

netwire

C2

iphanyi.duckdns.org:3360

Attributes

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1768-61-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1768-62-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1768-63-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1768-65-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1768-67-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1768-66-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1768-70-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1768-71-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

Bounced Cheque.exe

description pid process target process

PID 1640 set thread context of 1768 1640 Bounced Cheque.exe Bounced Cheque.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Bounced Cheque.exe

pid process

1640 Bounced Cheque.exe

description	pid	process	target process
PID 1640 set thread context of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe

pid	process
1640	Bounced Cheque.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Bounced Cheque.exe

description	pid	process	target process
PID 1640 wrote to memory of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe
PID 1640 wrote to memory of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe
PID 1640 wrote to memory of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe
PID 1640 wrote to memory of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe
PID 1640 wrote to memory of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe
PID 1640 wrote to memory of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe
PID 1640 wrote to memory of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe
PID 1640 wrote to memory of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe
PID 1640 wrote to memory of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe
PID 1640 wrote to memory of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe
PID 1640 wrote to memory of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe
PID 1640 wrote to memory of 1768	1640	Bounced Cheque.exe	Bounced Cheque.exe

C:\Users\Admin\AppData\Local\Temp\Bounced Cheque.exe
"C:\Users\Admin\AppData\Local\Temp\Bounced Cheque.exe"
2⤵
PID:1768

memory/1768-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-67-0x000000000040242D-mapping.dmp

Download
memory/1768-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-69-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1768-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download