netwire | 57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201

General

Target

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
Size

196KB
MD5

40af2d46b77bcdc84924c5b6a29bfe2d
SHA1

8ff1371ddd1fc3839c06d4cc1f86166873a6c726
SHA256

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201
SHA512

860949ffc6fab641a6666c603919fdd404436048af7e90bce7566dca6abcba213a9e7f92278621b01058bcb233abeb955f86d2c505c1178738c86bda046d6e46

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4684-133-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4684-135-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/4684-139-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

832 Host.exe

pid	process
832	Host.exe

Drops startup file 1 IoCs

Processes:

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nlomdNielECE.lnk	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

description	pid	process	target process
PID 4064 set thread context of 4684	4064	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe

description	pid	process	target process
PID 4064 wrote to memory of 4684	4064	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 4064 wrote to memory of 4684	4064	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 4064 wrote to memory of 4684	4064	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 4064 wrote to memory of 4684	4064	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 4064 wrote to memory of 4684	4064	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 4064 wrote to memory of 4684	4064	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 4064 wrote to memory of 4684	4064	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 4064 wrote to memory of 4684	4064	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
PID 4684 wrote to memory of 832	4684	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	Host.exe
PID 4684 wrote to memory of 832	4684	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	Host.exe
PID 4684 wrote to memory of 832	4684	57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
"C:\Users\Admin\AppData\Local\Temp\57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\Temp\57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe
"C:\Users\Admin\AppData\Local\Temp\57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
196KB

MD5
40af2d46b77bcdc84924c5b6a29bfe2d

SHA1
8ff1371ddd1fc3839c06d4cc1f86166873a6c726

SHA256
57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201

SHA512
860949ffc6fab641a6666c603919fdd404436048af7e90bce7566dca6abcba213a9e7f92278621b01058bcb233abeb955f86d2c505c1178738c86bda046d6e46

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
196KB

MD5
40af2d46b77bcdc84924c5b6a29bfe2d

SHA1
8ff1371ddd1fc3839c06d4cc1f86166873a6c726

SHA256
57d59bcc4a2ed648b5321f0f68b6b0782642fe66fa8472e6a95dd59db34f3201

SHA512
860949ffc6fab641a6666c603919fdd404436048af7e90bce7566dca6abcba213a9e7f92278621b01058bcb233abeb955f86d2c505c1178738c86bda046d6e46

Download Submit
memory/832-136-0x0000000000000000-mapping.dmp

Download
memory/832-140-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/832-141-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/4064-130-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/4064-131-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/4064-142-0x0000000074D10000-0x00000000752C1000-memory.dmp

Filesize
5.7MB

Download
memory/4684-132-0x0000000000000000-mapping.dmp

Download
memory/4684-133-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4684-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4684-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads