netwire | 0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e

General

Target

0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe
Size

233KB
MD5

c6178edfa12115bff102f02764b97dd5
SHA1

ef4bdbbdd4ce3b0fb1c6b1d778ee87ad1884f57a
SHA256

0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e
SHA512

aef18e6d76b7b95afaaa24f3a79041882a0a0a0e2931fb4a4506861f3f4f2d82050beef09ae7148488de28ca6a01f6fd56eb165c8c1f35f6e3b0f64d5b1043c7

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

vegan.giize.com:1604

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2328-144-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2328-146-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2328-148-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VguerMjfkJdkNgeurnKv.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VguerMjfkJdkNgeurnKv.exe	Powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe

description	pid	process	target process
PID 1196 set thread context of 2328	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Powershell.exe0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe

pid	process
4588	Powershell.exe
4588	Powershell.exe
1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe
1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Powershell.exe0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe

description	pid	process
Token: SeDebugPrivilege	4588	Powershell.exe
Token: SeDebugPrivilege	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe

description	pid	process	target process
PID 1196 wrote to memory of 4588	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	Powershell.exe
PID 1196 wrote to memory of 4588	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	Powershell.exe
PID 1196 wrote to memory of 4588	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	Powershell.exe
PID 1196 wrote to memory of 4940	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 4940	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 4940	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 2328	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 2328	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 2328	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 2328	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 2328	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 2328	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 2328	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 2328	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 2328	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 2328	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe
PID 1196 wrote to memory of 2328	1196	0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe
"C:\Users\Admin\AppData\Local\Temp\0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\0fed6fa2f3572636b628398d69201d11ef9c44a33491d36e5193364c0fd22a1e.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VguerMjfkJdkNgeurnKv.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-130-0x0000000000DA0000-0x0000000000DE0000-memory.dmp

Filesize
256KB

Download
memory/1196-131-0x0000000005750000-0x00000000057EC000-memory.dmp

Filesize
624KB

Download
memory/1196-132-0x0000000005E10000-0x00000000063B4000-memory.dmp

Filesize
5.6MB

Download
memory/1196-133-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/1196-134-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/1196-135-0x0000000005A90000-0x0000000005AE6000-memory.dmp

Filesize
344KB

Download
memory/2328-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-143-0x0000000000000000-mapping.dmp

Download
memory/2328-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4588-141-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/4588-140-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/4588-137-0x0000000002D00000-0x0000000002D36000-memory.dmp

Filesize
216KB

Download
memory/4588-139-0x0000000005730000-0x0000000005752000-memory.dmp

Filesize
136KB

Download
memory/4588-136-0x0000000000000000-mapping.dmp

Download
memory/4588-147-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/4588-138-0x0000000005930000-0x0000000005F58000-memory.dmp

Filesize
6.2MB

Download
memory/4588-149-0x0000000007640000-0x00000000076D6000-memory.dmp

Filesize
600KB

Download
memory/4588-150-0x0000000006B70000-0x0000000006B8A000-memory.dmp

Filesize
104KB

Download
memory/4588-151-0x0000000006BC0000-0x0000000006BE2000-memory.dmp

Filesize
136KB

Download
memory/4940-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads