netwire | 412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f

General

Target

412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe
Size

540KB
MD5

e908270ed1cad4b5f2081c90ec972b13
SHA1

aa3a11069ef6f4d765c4f9fd54405434b554660b
SHA256

412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f
SHA512

ef8b4d3560bff36d34a274c4489cf000229421336d367a08c7d6423ec7195800752582091b7049fe9c4d088f9751e55e3158e6839ce593a2dc47521e739da3be

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

160.116.15.145:9921

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1392-63-0x0000000000400000-0x000000000048F000-memory.dmp	netwire
behavioral1/memory/1392-64-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe

description	pid	process	target process
PID 1776 set thread context of 1392	1776	412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe	412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe

pid process

1776 412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe

pid	process
1776	412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe

description	pid	process	target process
PID 1776 wrote to memory of 1392	1776	412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe	412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe
PID 1776 wrote to memory of 1392	1776	412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe	412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe
PID 1776 wrote to memory of 1392	1776	412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe	412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe
PID 1776 wrote to memory of 1392	1776	412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe	412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe

C:\Users\Admin\AppData\Local\Temp\412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe
"C:\Users\Admin\AppData\Local\Temp\412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe
C:\Users\Admin\AppData\Local\Temp\412e4f6cdf3aec4b28a107e6f7f01f9365bebe0b39e052b10537b2ea28c1340f.exe"
2⤵
PID:1392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1392-58-0x00000000004055B9-mapping.dmp

Download
memory/1392-63-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/1392-64-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1392-70-0x00000000774D0000-0x0000000077679000-memory.dmp

Filesize
1.7MB

Download
memory/1392-71-0x00000000776B0000-0x0000000077830000-memory.dmp

Filesize
1.5MB

Download
memory/1392-72-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/1776-56-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/1776-57-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1776-59-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/1776-60-0x00000000774D0000-0x0000000077679000-memory.dmp

Filesize
1.7MB

Download
memory/1776-61-0x00000000776B0000-0x0000000077830000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads