netwire | 57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201

General

Target

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
Size

196KB
MD5

40af2d46b77bcdc84924c5b6a29bfe2d
SHA1

8ff1371ddd1fc3839c06d4cc1f86166873a6c726
SHA256

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201
SHA512

860949ffc6fab641a6666c603919fdd404436048af7e90bce7566dca6abcba213a9e7f92278621b01058bcb233abeb955f86d2c505c1178738c86bda046d6e46

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/848-61-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/848-64-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/848-63-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/848-67-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/848-72-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

560 Host.exe

pid	process
560	Host.exe

Drops startup file 1 IoCs

Processes:

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nlomdNielECE.lnk	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

Loads dropped DLL 3 IoCs

Processes:

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

pid	process
848	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
848	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

description	pid	process	target process
PID 1008 set thread context of 848	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

pid	process
1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

description pid process

Token: SeDebugPrivilege 1008 57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

description	pid	process
Token: SeDebugPrivilege	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

C:\Users\Admin\AppData\Local\Temp\57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
"C:\Users\Admin\AppData\Local\Temp\57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
"C:\Users\Admin\AppData\Local\Temp\57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe"
2⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
"C:\Users\Admin\AppData\Local\Temp\57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
196KB

MD5
40af2d46b77bcdc84924c5b6a29bfe2d

SHA1
8ff1371ddd1fc3839c06d4cc1f86166873a6c726

SHA256
57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201

SHA512
860949ffc6fab641a6666c603919fdd404436048af7e90bce7566dca6abcba213a9e7f92278621b01058bcb233abeb955f86d2c505c1178738c86bda046d6e46

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
196KB

MD5
40af2d46b77bcdc84924c5b6a29bfe2d

SHA1
8ff1371ddd1fc3839c06d4cc1f86166873a6c726

SHA256
57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201

SHA512
860949ffc6fab641a6666c603919fdd404436048af7e90bce7566dca6abcba213a9e7f92278621b01058bcb233abeb955f86d2c505c1178738c86bda046d6e46

Download Submit
\Users\Admin\AppData\Roaming\CbgAJgP\WflrmsAYJC.exe

Filesize
196KB

MD5
40af2d46b77bcdc84924c5b6a29bfe2d

SHA1
8ff1371ddd1fc3839c06d4cc1f86166873a6c726

SHA256
57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201

SHA512
860949ffc6fab641a6666c603919fdd404436048af7e90bce7566dca6abcba213a9e7f92278621b01058bcb233abeb955f86d2c505c1178738c86bda046d6e46

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
196KB

MD5
40af2d46b77bcdc84924c5b6a29bfe2d

SHA1
8ff1371ddd1fc3839c06d4cc1f86166873a6c726

SHA256
57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201

SHA512
860949ffc6fab641a6666c603919fdd404436048af7e90bce7566dca6abcba213a9e7f92278621b01058bcb233abeb955f86d2c505c1178738c86bda046d6e46

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
196KB

MD5
40af2d46b77bcdc84924c5b6a29bfe2d

SHA1
8ff1371ddd1fc3839c06d4cc1f86166873a6c726

SHA256
57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201

SHA512
860949ffc6fab641a6666c603919fdd404436048af7e90bce7566dca6abcba213a9e7f92278621b01058bcb233abeb955f86d2c505c1178738c86bda046d6e46

Download Submit
memory/560-76-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/560-75-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/560-70-0x0000000000000000-mapping.dmp

Download
memory/848-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/848-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/848-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/848-64-0x00000000004021DA-mapping.dmp

Download
memory/848-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/848-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/848-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/848-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1008-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1008-77-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download
memory/1008-55-0x0000000074060000-0x000000007460B000-memory.dmp

Filesize
5.7MB

Download

description	pid	process	target process
PID 1008 wrote to memory of 844	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 1008 wrote to memory of 844	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 1008 wrote to memory of 844	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 1008 wrote to memory of 844	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 1008 wrote to memory of 848	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 1008 wrote to memory of 848	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 1008 wrote to memory of 848	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 1008 wrote to memory of 848	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 1008 wrote to memory of 848	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 1008 wrote to memory of 848	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 1008 wrote to memory of 848	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 1008 wrote to memory of 848	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 1008 wrote to memory of 848	1008	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 848 wrote to memory of 560	848	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	Host.exe
PID 848 wrote to memory of 560	848	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	Host.exe
PID 848 wrote to memory of 560	848	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	Host.exe
PID 848 wrote to memory of 560	848	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	Host.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads