netwire | 502982f058ad68a55b9c4a4516bb98eef4bb9408c4b4e84789f59626293e9b2e

Analysis

max time kernel
129s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2022 09:27

Target

502982f058ad68a55b9c4a4516bb98eef4bb9408c4b4e84789f59626293e9b2e.exe
Size

84KB
MD5

64a019eac9e7e30715484e6ac037472c
SHA1

148cad04639cafef0b16d6012e12e4c3b93ff66a
SHA256

502982f058ad68a55b9c4a4516bb98eef4bb9408c4b4e84789f59626293e9b2e
SHA512

2b5d6ce386fccaa36efcee3471c630ef013b05d33d4d64b4de160e628ea62734e32748699ddd5c25a1b02e6550f84585f216adebd54248062eea1dae458936ab

Score

10^/10

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

1188 Host.exe

pid	process
1188	Host.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

502982f058ad68a55b9c4a4516bb98eef4bb9408c4b4e84789f59626293e9b2e.exe

description	pid	process	target process
PID 3300 wrote to memory of 1188	3300	502982f058ad68a55b9c4a4516bb98eef4bb9408c4b4e84789f59626293e9b2e.exe	Host.exe
PID 3300 wrote to memory of 1188	3300	502982f058ad68a55b9c4a4516bb98eef4bb9408c4b4e84789f59626293e9b2e.exe	Host.exe
PID 3300 wrote to memory of 1188	3300	502982f058ad68a55b9c4a4516bb98eef4bb9408c4b4e84789f59626293e9b2e.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\502982f058ad68a55b9c4a4516bb98eef4bb9408c4b4e84789f59626293e9b2e.exe
"C:\Users\Admin\AppData\Local\Temp\502982f058ad68a55b9c4a4516bb98eef4bb9408c4b4e84789f59626293e9b2e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
2⤵
- Executes dropped EXE
PID:1188

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
84KB

MD5
64a019eac9e7e30715484e6ac037472c

SHA1
148cad04639cafef0b16d6012e12e4c3b93ff66a

SHA256
502982f058ad68a55b9c4a4516bb98eef4bb9408c4b4e84789f59626293e9b2e

SHA512
2b5d6ce386fccaa36efcee3471c630ef013b05d33d4d64b4de160e628ea62734e32748699ddd5c25a1b02e6550f84585f216adebd54248062eea1dae458936ab

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
84KB

MD5
64a019eac9e7e30715484e6ac037472c

SHA1
148cad04639cafef0b16d6012e12e4c3b93ff66a

SHA256
502982f058ad68a55b9c4a4516bb98eef4bb9408c4b4e84789f59626293e9b2e

SHA512
2b5d6ce386fccaa36efcee3471c630ef013b05d33d4d64b4de160e628ea62734e32748699ddd5c25a1b02e6550f84585f216adebd54248062eea1dae458936ab

Download Submit
memory/1188-130-0x0000000000000000-mapping.dmp

Download