netwire | 4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e

General

Target

4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
Size

516KB
MD5

a746793b906c5355212819c537d95d4a
SHA1

b15cb2d0cb40f036f687fdabddeb54cd31c112e4
SHA256

4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e
SHA512

0df708298b080413d39737686b89233d2c21262bbce001884cbf0f4dcd449931d1635f70e5c188c14e49ec687c59a3337d7916ee5cd76617b225e39d975a515f

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

185.165.153.135:9539

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4088-137-0x0000000000400000-0x0000000000482000-memory.dmp	netwire
behavioral2/memory/4088-138-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1580 Host.exe
4940 Host.exe

pid	process
1580	Host.exe
4940	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exeHost.exe

description	pid	process	target process
PID 3316 set thread context of 4088	3316	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
PID 1580 set thread context of 4940	1580	Host.exe	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exeHost.exe

pid process

3316 4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
1580 Host.exe

pid	process
3316	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
1580	Host.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exeHost.exe

description	pid	process	target process
PID 3316 wrote to memory of 4088	3316	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
PID 3316 wrote to memory of 4088	3316	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
PID 3316 wrote to memory of 4088	3316	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
PID 4088 wrote to memory of 1580	4088	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	Host.exe
PID 4088 wrote to memory of 1580	4088	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	Host.exe
PID 4088 wrote to memory of 1580	4088	4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe	Host.exe
PID 1580 wrote to memory of 4940	1580	Host.exe	Host.exe
PID 1580 wrote to memory of 4940	1580	Host.exe	Host.exe
PID 1580 wrote to memory of 4940	1580	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
"C:\Users\Admin\AppData\Local\Temp\4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3316

C:\Users\Admin\AppData\Local\Temp\4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe
C:\Users\Admin\AppData\Local\Temp\4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Roaming\Install\Host.exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:4940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
516KB

MD5
a746793b906c5355212819c537d95d4a

SHA1
b15cb2d0cb40f036f687fdabddeb54cd31c112e4

SHA256
4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e

SHA512
0df708298b080413d39737686b89233d2c21262bbce001884cbf0f4dcd449931d1635f70e5c188c14e49ec687c59a3337d7916ee5cd76617b225e39d975a515f

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
516KB

MD5
a746793b906c5355212819c537d95d4a

SHA1
b15cb2d0cb40f036f687fdabddeb54cd31c112e4

SHA256
4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e

SHA512
0df708298b080413d39737686b89233d2c21262bbce001884cbf0f4dcd449931d1635f70e5c188c14e49ec687c59a3337d7916ee5cd76617b225e39d975a515f

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
516KB

MD5
a746793b906c5355212819c537d95d4a

SHA1
b15cb2d0cb40f036f687fdabddeb54cd31c112e4

SHA256
4f6b90f9d4b48278766883d445a0e5f8e6ac7b26c89e4788d89ff0a651e89a3e

SHA512
0df708298b080413d39737686b89233d2c21262bbce001884cbf0f4dcd449931d1635f70e5c188c14e49ec687c59a3337d7916ee5cd76617b225e39d975a515f

Download Submit
memory/1580-157-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/1580-156-0x00007FFAD17F0000-0x00007FFAD19E5000-memory.dmp

Filesize
2.0MB

Download
memory/1580-155-0x0000000002260000-0x0000000002267000-memory.dmp

Filesize
28KB

Download
memory/1580-146-0x0000000000000000-mapping.dmp

Download
memory/3316-132-0x00000000022A0000-0x00000000022A7000-memory.dmp

Filesize
28KB

Download
memory/3316-135-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/3316-136-0x00007FFAD17F0000-0x00007FFAD19E5000-memory.dmp

Filesize
2.0MB

Download
memory/3316-134-0x00000000022A0000-0x00000000022A7000-memory.dmp

Filesize
28KB

Download
memory/4088-145-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/4088-149-0x00000000004D0000-0x00000000004D7000-memory.dmp

Filesize
28KB

Download
memory/4088-151-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/4088-133-0x0000000000000000-mapping.dmp

Download
memory/4088-144-0x00007FFAD17F0000-0x00007FFAD19E5000-memory.dmp

Filesize
2.0MB

Download
memory/4088-138-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4088-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4940-153-0x0000000000000000-mapping.dmp

Download
memory/4940-165-0x00007FFAD17F0000-0x00007FFAD19E5000-memory.dmp

Filesize
2.0MB

Download
memory/4940-166-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download
memory/4940-167-0x0000000001F50000-0x0000000001F57000-memory.dmp

Filesize
28KB

Download
memory/4940-168-0x00000000772E0000-0x0000000077483000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads