netwire | 4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e

General

Target

4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
Size

516KB
MD5

a746793b906c5355212819c537d95d4a
SHA1

b15cb2d0cb40f036f687fdabddeb54cd31c112e4
SHA256

4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e
SHA512

0df708298b080413d39737686b89233d2c21262bbce001884cbf0f4dcd449931d1635f70e5c188c14e49ec687c59a3337d7916ee5cd76617b225e39d975a515f

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

185.165.153.135:9539

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/832-63-0x0000000000400000-0x0000000000482000-memory.dmp	netwire
behavioral1/memory/832-64-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/772-87-0x0000000000400000-0x0000000000482000-memory.dmp	netwire
behavioral1/memory/772-88-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1096 Host.exe
772 Host.exe

pid	process
1096	Host.exe
772	Host.exe

Loads dropped DLL 2 IoCs

Processes:

4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe

pid	process
832	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
832	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exeHost.exe

description	pid	process	target process
PID 1644 set thread context of 832	1644	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
PID 1096 set thread context of 772	1096	Host.exe	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exeHost.exe

pid process

1644 4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
1096 Host.exe

pid	process
1644	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
1096	Host.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exeHost.exe

description	pid	process	target process
PID 1644 wrote to memory of 832	1644	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
PID 1644 wrote to memory of 832	1644	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
PID 1644 wrote to memory of 832	1644	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
PID 1644 wrote to memory of 832	1644	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
PID 832 wrote to memory of 1096	832	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	Host.exe
PID 832 wrote to memory of 1096	832	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	Host.exe
PID 832 wrote to memory of 1096	832	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	Host.exe
PID 832 wrote to memory of 1096	832	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	Host.exe
PID 1096 wrote to memory of 772	1096	Host.exe	Host.exe
PID 1096 wrote to memory of 772	1096	Host.exe	Host.exe
PID 1096 wrote to memory of 772	1096	Host.exe	Host.exe
PID 1096 wrote to memory of 772	1096	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
"C:\Users\Admin\AppData\Local\Temp\4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
C:\Users\Admin\AppData\Local\Temp\4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Roaming\Install\Host.exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
516KB

MD5
a746793b906c5355212819c537d95d4a

SHA1
b15cb2d0cb40f036f687fdabddeb54cd31c112e4

SHA256
4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e

SHA512
0df708298b080413d39737686b89233d2c21262bbce001884cbf0f4dcd449931d1635f70e5c188c14e49ec687c59a3337d7916ee5cd76617b225e39d975a515f

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
516KB

MD5
a746793b906c5355212819c537d95d4a

SHA1
b15cb2d0cb40f036f687fdabddeb54cd31c112e4

SHA256
4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e

SHA512
0df708298b080413d39737686b89233d2c21262bbce001884cbf0f4dcd449931d1635f70e5c188c14e49ec687c59a3337d7916ee5cd76617b225e39d975a515f

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
516KB

MD5
a746793b906c5355212819c537d95d4a

SHA1
b15cb2d0cb40f036f687fdabddeb54cd31c112e4

SHA256
4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e

SHA512
0df708298b080413d39737686b89233d2c21262bbce001884cbf0f4dcd449931d1635f70e5c188c14e49ec687c59a3337d7916ee5cd76617b225e39d975a515f

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
516KB

MD5
a746793b906c5355212819c537d95d4a

SHA1
b15cb2d0cb40f036f687fdabddeb54cd31c112e4

SHA256
4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e

SHA512
0df708298b080413d39737686b89233d2c21262bbce001884cbf0f4dcd449931d1635f70e5c188c14e49ec687c59a3337d7916ee5cd76617b225e39d975a515f

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
516KB

MD5
a746793b906c5355212819c537d95d4a

SHA1
b15cb2d0cb40f036f687fdabddeb54cd31c112e4

SHA256
4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e

SHA512
0df708298b080413d39737686b89233d2c21262bbce001884cbf0f4dcd449931d1635f70e5c188c14e49ec687c59a3337d7916ee5cd76617b225e39d975a515f

Download Submit
memory/772-96-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/772-95-0x0000000077DD0000-0x0000000077F50000-memory.dmp

Filesize
1.5MB

Download
memory/772-94-0x0000000077BF0000-0x0000000077D99000-memory.dmp

Filesize
1.7MB

Download
memory/772-88-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/772-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/772-81-0x000000000046D030-mapping.dmp

Download
memory/832-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/832-74-0x00000000003A0000-0x00000000003A7000-memory.dmp

Filesize
28KB

Download
memory/832-76-0x0000000077BF0000-0x0000000077D99000-memory.dmp

Filesize
1.7MB

Download
memory/832-78-0x0000000077DD0000-0x0000000077F50000-memory.dmp

Filesize
1.5MB

Download
memory/832-58-0x000000000046D030-mapping.dmp

Download
memory/832-64-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1096-83-0x00000000002C0000-0x00000000002C7000-memory.dmp

Filesize
28KB

Download
memory/1096-84-0x0000000077BF0000-0x0000000077D99000-memory.dmp

Filesize
1.7MB

Download
memory/1096-85-0x0000000077DD0000-0x0000000077F50000-memory.dmp

Filesize
1.5MB

Download
memory/1096-72-0x0000000000000000-mapping.dmp

Download
memory/1644-56-0x00000000002F0000-0x00000000002F7000-memory.dmp

Filesize
28KB

Download
memory/1644-61-0x0000000077DD0000-0x0000000077F50000-memory.dmp

Filesize
1.5MB

Download
memory/1644-60-0x0000000077BF0000-0x0000000077D99000-memory.dmp

Filesize
1.7MB

Download
memory/1644-59-0x00000000002F0000-0x00000000002F7000-memory.dmp

Filesize
28KB

Download
memory/1644-57-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads