netwire | 403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede

General

Target

403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe
Size

562KB
MD5

fd238c0ed716ed40685e923bbd688312
SHA1

4039ff431cd19e2f8d29ffad4056375a09d11904
SHA256

403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede
SHA512

319696d81f4f9acd8d19d6a5a6097ab0792691f314cdd8b5f69f6bce0969f30b77ce863bd2de97670f7a3ec8cc5cb6d5f1576ee29babef7a6c37b5b93b323014

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

ahmed82.duckdns.org:31220

Attributes

activex_autorun
true
activex_key
{MQ7E162C-G40B-POGC-BR10-W1R3U0M04M64}
copy_executable
true
delete_original
false
host_id
HostId-Nov%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/488-136-0x0000000000400000-0x000000000048D000-memory.dmp	netwire
behavioral2/memory/488-137-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

3948 Host.exe

pid	process
3948	Host.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe

description	pid	process	target process
PID 2704 set thread context of 488	2704	403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe	403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exeHost.exe

pid process

2704 403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe
3948 Host.exe

pid	process
2704	403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe
3948	Host.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe

description	pid	process	target process
PID 2704 wrote to memory of 488	2704	403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe	403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe
PID 2704 wrote to memory of 488	2704	403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe	403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe
PID 2704 wrote to memory of 488	2704	403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe	403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe
PID 488 wrote to memory of 3948	488	403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe	Host.exe
PID 488 wrote to memory of 3948	488	403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe	Host.exe
PID 488 wrote to memory of 3948	488	403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe
"C:\Users\Admin\AppData\Local\Temp\403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe
C:\Users\Admin\AppData\Local\Temp\403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:488

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
562KB

MD5
fd238c0ed716ed40685e923bbd688312

SHA1
4039ff431cd19e2f8d29ffad4056375a09d11904

SHA256
403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede

SHA512
319696d81f4f9acd8d19d6a5a6097ab0792691f314cdd8b5f69f6bce0969f30b77ce863bd2de97670f7a3ec8cc5cb6d5f1576ee29babef7a6c37b5b93b323014

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
562KB

MD5
fd238c0ed716ed40685e923bbd688312

SHA1
4039ff431cd19e2f8d29ffad4056375a09d11904

SHA256
403a92e52243258eff6eb38f03d84048e16bc7a2b265e0968a310bdc69accede

SHA512
319696d81f4f9acd8d19d6a5a6097ab0792691f314cdd8b5f69f6bce0969f30b77ce863bd2de97670f7a3ec8cc5cb6d5f1576ee29babef7a6c37b5b93b323014

Download Submit
memory/488-133-0x0000000000000000-mapping.dmp

Download
memory/488-135-0x00000000004D0000-0x00000000004D7000-memory.dmp

Filesize
28KB

Download
memory/488-136-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/488-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/488-146-0x00000000774D0000-0x0000000077673000-memory.dmp

Filesize
1.6MB

Download
memory/2704-132-0x0000000002250000-0x0000000002257000-memory.dmp

Filesize
28KB

Download
memory/2704-134-0x00000000774D0000-0x0000000077673000-memory.dmp

Filesize
1.6MB

Download
memory/3948-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads