netwire | d80ecb62c54c587a0b04539012981a8d7391a5752048439aae18713969d4fe2b

Analysis

Target

TRANSAC2.exe
Size

1.2MB
MD5

003d19970194080b5cf4943b45ffb523
SHA1

d1215cc8a501c297157ca4d44bc683f95c747f86
SHA256

5a9dc7a0a78582178b5ecc4b83725338027de4ec8d68ccf2f22ea6e92aab509f
SHA512

62f69b3c5eaf138b7ed3c30b1e9b79b2ff4fec9d17f537d2f4fc5cd6fe3d775244df6c9449df2ad1694207de1310be0d3ff875ddae73cb8b9c0f5379f8a9a217

Score

10^/10

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2104-132-0x0000000000AA0000-0x0000000000ACB000-memory.dmp	netwire
behavioral2/memory/2104-141-0x0000000000AA0000-0x0000000000ACB000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Drops startup file 1 IoCs

Processes:

TRANSAC2.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.url TRANSAC2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

TRANSAC2.exe

description pid process target process

PID 4880 set thread context of 2104 4880 TRANSAC2.exe TRANSAC2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc.url	TRANSAC2.exe

description	pid	process	target process
PID 4880 set thread context of 2104	4880	TRANSAC2.exe	TRANSAC2.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

TRANSAC2.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

TRANSAC2.exe

pid process

4880 TRANSAC2.exe
4880 TRANSAC2.exe
4880 TRANSAC2.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

TRANSAC2.exe

pid process

4880 TRANSAC2.exe
4880 TRANSAC2.exe
4880 TRANSAC2.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

TRANSAC2.exe

description	pid	process	target process
PID 4880 wrote to memory of 2104	4880	TRANSAC2.exe	TRANSAC2.exe
PID 4880 wrote to memory of 2104	4880	TRANSAC2.exe	TRANSAC2.exe
PID 4880 wrote to memory of 2104	4880	TRANSAC2.exe	TRANSAC2.exe
PID 4880 wrote to memory of 2104	4880	TRANSAC2.exe	TRANSAC2.exe
PID 4880 wrote to memory of 2104	4880	TRANSAC2.exe	TRANSAC2.exe

C:\Users\Admin\AppData\Local\Temp\TRANSAC2.exe
"C:\Users\Admin\AppData\Local\Temp\TRANSAC2.exe"
2⤵
PID:2104

memory/2104-131-0x0000000000000000-mapping.dmp

Download
memory/2104-132-0x0000000000AA0000-0x0000000000ACB000-memory.dmp

Filesize
172KB

Download
memory/2104-141-0x0000000000AA0000-0x0000000000ACB000-memory.dmp

Filesize
172KB

Download
memory/4880-130-0x0000000003E80000-0x0000000003EC0000-memory.dmp

Filesize
256KB

Download
memory/4880-142-0x0000000004E80000-0x0000000004EC0000-memory.dmp

Filesize
256KB

Download