netwire | 06e6812b532aa2534c5e148ca2d680f65eaa9ab6a3ac495ab7f69bb74c2f6aec

Analysis

Target

Absa.exe
Size

638KB
MD5

3e6a8a40fd2a124f8c9a3bc25bcebe94
SHA1

313a12b860281062c2842359e0d90c79695c5fa7
SHA256

3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437
SHA512

e87dbfb61459c039fd9d897c6bb468669d389074c28f701339c85c38193f76d501dee7825b2235785059a14df1a5949cc003732e55ef94b39b41205cdaab1338

Score

10^/10

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Drops startup file 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaskMrg.vbs notepad.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Absa.exe

description pid process target process

PID 4808 set thread context of 4284 4808 Absa.exe Absa.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaskMrg.vbs	notepad.exe

description	pid	process	target process
PID 4808 set thread context of 4284	4808	Absa.exe	Absa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Absa.exeAbsa.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Absa.exe

pid process

4808 Absa.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Absa.exe

description	pid	process	target process
PID 4808 wrote to memory of 4188	4808	Absa.exe	notepad.exe
PID 4808 wrote to memory of 4188	4808	Absa.exe	notepad.exe
PID 4808 wrote to memory of 4188	4808	Absa.exe	notepad.exe
PID 4808 wrote to memory of 4188	4808	Absa.exe	notepad.exe
PID 4808 wrote to memory of 4188	4808	Absa.exe	notepad.exe
PID 4808 wrote to memory of 4284	4808	Absa.exe	Absa.exe
PID 4808 wrote to memory of 4284	4808	Absa.exe	Absa.exe
PID 4808 wrote to memory of 4284	4808	Absa.exe	Absa.exe
PID 4808 wrote to memory of 4476	4808	Absa.exe	Absa.exe
PID 4808 wrote to memory of 4476	4808	Absa.exe	Absa.exe
PID 4808 wrote to memory of 4476	4808	Absa.exe	Absa.exe

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
2⤵
- Drops startup file
PID:4188

C:\Users\Admin\AppData\Local\Temp\Absa.exe
"C:\Users\Admin\AppData\Local\Temp\Absa.exe"
2⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\Absa.exe
"C:\Users\Admin\AppData\Local\Temp\Absa.exe" 2 4284 240543343
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4476

memory/4188-130-0x0000000000000000-mapping.dmp

Download
memory/4284-131-0x0000000000000000-mapping.dmp

Download
memory/4476-132-0x0000000000000000-mapping.dmp

Download
memory/4808-133-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download