netwire | 8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264

Analysis

Target

8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe
Size

209KB
MD5

278235035db35559eed0d9882d7e83a1
SHA1

960e43094f5f3e773ee9030634bc9de14685109e
SHA256

8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264
SHA512

d8e60f87199951ac1a7392b6d5e8741ca6dea76c2c7a5773cf49058457d16184099936f4e63dc3b5f23657d36c2abff8b3172c98fdfb70bac001ef347578e9bc

Score

10^/10

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5004-131-0x0000000000400000-0x0000000000425000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe

description	pid	process	target process
PID 508 set thread context of 5004	508	8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe	8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe

pid process

508 8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe

description	pid	process	target process
PID 508 wrote to memory of 5004	508	8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe	8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe
PID 508 wrote to memory of 5004	508	8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe	8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe
PID 508 wrote to memory of 5004	508	8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe	8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe
PID 508 wrote to memory of 5004	508	8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe	8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe

C:\Users\Admin\AppData\Local\Temp\8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe
"C:\Users\Admin\AppData\Local\Temp\8ef29fdc370b4b4a07a3f077641dd33b205fd19a0a69b6a07c409689752b0264.exe"
2⤵
PID:5004

memory/5004-130-0x0000000000000000-mapping.dmp

Download
memory/5004-131-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download