netwire | e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145

General

Target

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
Size

496KB
MD5

2e949fbd641fbb0b7a2faa128ddd3540
SHA1

eac22a028a62c18391a452850d9c42fbb19b7fb8
SHA256

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145
SHA512

93d326fc1f0bdace236773275b0969dc191e98979e6f353567bf8ca5479773bf8c811dd9b292136a6a1f2aa0999988c79567ef41f75dde5243ebd628582c1d78

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1132-136-0x0000000000400000-0x000000000047E000-memory.dmp	netwire
behavioral2/memory/1132-137-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe"	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

description	pid	process	target process
PID 1292 set thread context of 1132	1292	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

pid process

1292 e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

pid	process
1292	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

description	pid	process	target process
PID 1292 wrote to memory of 1132	1292	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
PID 1292 wrote to memory of 1132	1292	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
PID 1292 wrote to memory of 1132	1292	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe	e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe

C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
"C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe
C:\Users\Admin\AppData\Local\Temp\e7cddae953978be6b45011ccbde76cc209eb1bfb3976ba9e214a37df62e3e145.exe"
2⤵
- Adds Run key to start application
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1132-133-0x0000000000000000-mapping.dmp

Download
memory/1132-136-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1132-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-143-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp

Filesize
2.0MB

Download
memory/1132-144-0x00000000773E0000-0x0000000077583000-memory.dmp

Filesize
1.6MB

Download
memory/1292-132-0x0000000002220000-0x0000000002227000-memory.dmp

Filesize
28KB

Download
memory/1292-134-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp

Filesize
2.0MB

Download
memory/1292-135-0x00000000773E0000-0x0000000077583000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads