netwire | 3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b

General

Target

3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
Size

448KB
MD5

44a765fe57dea1ae7b642010c7209932
SHA1

3e97fc2183c9af4d8f71d0a546b6c2611495a46c
SHA256

3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b
SHA512

6ecba354b1cd685588cf7aa44092d99e227a7e99bfd1c9b8811960a556e556b555853560271b1cc4f8744dbbd95c726b6ce183ae9fdd298efaf7bcd551d1edae

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

popen.ru:6970

dhfgh.online:6970

popen43.ru:6970

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
SC Native
lock_executable
false
mutex
OjxxiSpn
offline_keylogger
false
password
ppF7"oRyqm
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1920-59-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ojjgotlkaiwzmmb.eu.url	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe

description	pid	process	target process
PID 1980 set thread context of 1920	1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe

pid	process
1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe

pid process

1980 3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe

description	pid	process	target process
PID 1980 wrote to memory of 1920	1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
PID 1980 wrote to memory of 1920	1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
PID 1980 wrote to memory of 1920	1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
PID 1980 wrote to memory of 1920	1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
PID 1980 wrote to memory of 1920	1980	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe	3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe

C:\Users\Admin\AppData\Local\Temp\3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
"C:\Users\Admin\AppData\Local\Temp\3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe
"C:\Users\Admin\AppData\Local\Temp\3d6bc146d5338159005ae3d66c7fda67a6ada1dc1a66b4ab17301ef4ec1b665b.exe"
2⤵
PID:1920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1920-56-0x0000000000402BCB-mapping.dmp

Download
memory/1920-59-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1980-54-0x0000000076C01000-0x0000000076C03000-memory.dmp

Filesize
8KB

Download
memory/1980-55-0x0000000001040000-0x00000000010B4000-memory.dmp

Filesize
464KB

Download
memory/1980-57-0x0000000001040000-0x00000000010B4000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads