netwire | 4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13

Analysis

max time kernel
149s
max time network
103s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
20-07-2022 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe
Size

1.7MB
MD5

eac50aecd140f50a9b05bd1d7ead0895
SHA1

605890b47e3f232196ff9e21ca983a91278f8c1e
SHA256

4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13
SHA512

eedb9a7ac6465476ba6d62bb2bb5ef5c97fd733bd83a6956d36d087239a8de5d11e020caa14b88723b91979bc39eeac0398c0180f32f452e598465bf5ab82e49

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

216.38.2.197:6080

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
FEB2K19
install_path
%AppData%\Install\Wordpads.exe
keylogger_dir
%AppData%\sgol\
lock_executable
false
offline_keylogger
true
password
&+~K4r)"5WGP2j*
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2040-61-0x0000000000130000-0x0000000000152000-memory.dmp	netwire
behavioral1/memory/2040-62-0x00000000001F0000-0x000000000021C000-memory.dmp	netwire
behavioral1/memory/1016-64-0x0000000001E00000-0x0000000001E2C000-memory.dmp	netwire
behavioral1/memory/1016-65-0x0000000001E00000-0x0000000001E2C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Wordpads.exe

pid process

1016 Wordpads.exe
Loads dropped DLL 1 IoCs

Processes:

4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe

pid process

2040 4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe

pid	process
1016	Wordpads.exe

pid	process
2040	4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe

description	pid	process	target process
PID 2040 wrote to memory of 1016	2040	4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe	Wordpads.exe
PID 2040 wrote to memory of 1016	2040	4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe	Wordpads.exe
PID 2040 wrote to memory of 1016	2040	4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe	Wordpads.exe
PID 2040 wrote to memory of 1016	2040	4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe	Wordpads.exe
PID 2040 wrote to memory of 1016	2040	4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe	Wordpads.exe
PID 2040 wrote to memory of 1016	2040	4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe	Wordpads.exe
PID 2040 wrote to memory of 1016	2040	4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe	Wordpads.exe

C:\Users\Admin\AppData\Local\Temp\4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe
"C:\Users\Admin\AppData\Local\Temp\4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Roaming\Install\Wordpads.exe
"C:\Users\Admin\AppData\Roaming\Install\Wordpads.exe"
2⤵
- Executes dropped EXE
PID:1016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Wordpads.exe

Filesize
1.7MB

MD5
eac50aecd140f50a9b05bd1d7ead0895

SHA1
605890b47e3f232196ff9e21ca983a91278f8c1e

SHA256
4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13

SHA512
eedb9a7ac6465476ba6d62bb2bb5ef5c97fd733bd83a6956d36d087239a8de5d11e020caa14b88723b91979bc39eeac0398c0180f32f452e598465bf5ab82e49

Download Submit
\Users\Admin\AppData\Roaming\Install\Wordpads.exe

Filesize
1.7MB

MD5
eac50aecd140f50a9b05bd1d7ead0895

SHA1
605890b47e3f232196ff9e21ca983a91278f8c1e

SHA256
4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13

SHA512
eedb9a7ac6465476ba6d62bb2bb5ef5c97fd733bd83a6956d36d087239a8de5d11e020caa14b88723b91979bc39eeac0398c0180f32f452e598465bf5ab82e49

Download Submit
memory/1016-57-0x0000000000000000-mapping.dmp

Download
memory/1016-63-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/1016-64-0x0000000001E00000-0x0000000001E2C000-memory.dmp

Filesize
176KB

Download
memory/1016-65-0x0000000001E00000-0x0000000001E2C000-memory.dmp

Filesize
176KB

Download
memory/1016-66-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2040-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/2040-55-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2040-59-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2040-61-0x0000000000130000-0x0000000000152000-memory.dmp

Filesize
136KB

Download
memory/2040-62-0x00000000001F0000-0x000000000021C000-memory.dmp

Filesize
176KB

Download