netwire | 4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13

Analysis

max time kernel
92s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe
Size

1.7MB
MD5

eac50aecd140f50a9b05bd1d7ead0895
SHA1

605890b47e3f232196ff9e21ca983a91278f8c1e
SHA256

4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13
SHA512

eedb9a7ac6465476ba6d62bb2bb5ef5c97fd733bd83a6956d36d087239a8de5d11e020caa14b88723b91979bc39eeac0398c0180f32f452e598465bf5ab82e49

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

216.38.2.197:6080

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
FEB2K19
install_path
%AppData%\Install\Wordpads.exe
keylogger_dir
%AppData%\sgol\
lock_executable
false
offline_keylogger
true
password
&+~K4r)"5WGP2j*
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5116-131-0x0000000000750000-0x0000000000772000-memory.dmp	netwire
behavioral2/memory/5116-132-0x00000000008C0000-0x00000000008EC000-memory.dmp	netwire
behavioral2/memory/2272-138-0x0000000000830000-0x000000000085C000-memory.dmp	netwire
behavioral2/memory/2272-139-0x0000000000830000-0x000000000085C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Wordpads.exe

pid process

2272 Wordpads.exe

pid	process
2272	Wordpads.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe

description	pid	process	target process
PID 5116 wrote to memory of 2272	5116	4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe	Wordpads.exe
PID 5116 wrote to memory of 2272	5116	4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe	Wordpads.exe
PID 5116 wrote to memory of 2272	5116	4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe	Wordpads.exe

C:\Users\Admin\AppData\Local\Temp\4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe
"C:\Users\Admin\AppData\Local\Temp\4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Roaming\Install\Wordpads.exe
"C:\Users\Admin\AppData\Roaming\Install\Wordpads.exe"
2⤵
- Executes dropped EXE
PID:2272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Wordpads.exe

Filesize
1.7MB

MD5
eac50aecd140f50a9b05bd1d7ead0895

SHA1
605890b47e3f232196ff9e21ca983a91278f8c1e

SHA256
4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13

SHA512
eedb9a7ac6465476ba6d62bb2bb5ef5c97fd733bd83a6956d36d087239a8de5d11e020caa14b88723b91979bc39eeac0398c0180f32f452e598465bf5ab82e49

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Wordpads.exe

Filesize
1.7MB

MD5
eac50aecd140f50a9b05bd1d7ead0895

SHA1
605890b47e3f232196ff9e21ca983a91278f8c1e

SHA256
4ef520b5bbc4521edc2b600918eac72d04608600a8ec295df06db5c9ed3a5e13

SHA512
eedb9a7ac6465476ba6d62bb2bb5ef5c97fd733bd83a6956d36d087239a8de5d11e020caa14b88723b91979bc39eeac0398c0180f32f452e598465bf5ab82e49

Download Submit
memory/2272-133-0x0000000000000000-mapping.dmp

Download
memory/2272-137-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2272-138-0x0000000000830000-0x000000000085C000-memory.dmp

Filesize
176KB

Download
memory/2272-139-0x0000000000830000-0x000000000085C000-memory.dmp

Filesize
176KB

Download
memory/2272-140-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/5116-130-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/5116-131-0x0000000000750000-0x0000000000772000-memory.dmp

Filesize
136KB

Download
memory/5116-132-0x00000000008C0000-0x00000000008EC000-memory.dmp

Filesize
176KB

Download
memory/5116-136-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download