netwire | 5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c

General

Target

5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe
Size

216KB
MD5

4c0d71906fa0cf0bda68d486000044e4
SHA1

fa991f76283138530a5a7bcb7b4e7dedd9e7e567
SHA256

5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c
SHA512

f636adb457276398158006956b27dd4cb742a01c04a511f685cca04bef61444662c9362ceee052f8676b00f0042fdf0f1b9b5f5891085d4ae1c15f47c6f19e4c

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

auth.dynns.com:1212

auth.myddns.me:1111

Attributes

activex_autorun
false
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1856-58-0x0000000000400000-0x0000000000420000-memory.dmp	netwire
behavioral1/memory/1976-74-0x0000000000400000-0x0000000000420000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

1976 Host.exe
Deletes itself 1 IoCs

Processes:

Host.exe

pid process

1976 Host.exe

pid	process
1976	Host.exe

pid	process
1976	Host.exe

Drops startup file 2 IoCs

Processes:

Host.exe5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Banal.vbe	Host.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Banal.vbe	5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe

Loads dropped DLL 2 IoCs

Processes:

5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe

pid	process
1856	5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe
1856	5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exeHost.exe

pid	process
1856	5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe
1856	5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe
1976	Host.exe
1976	Host.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exeHost.exe

pid	process
1856	5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe
1856	5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe
1976	Host.exe
1976	Host.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exeHost.exe

pid process

1856 5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe
1976 Host.exe
Suspicious use of UnmapMainImage 2 IoCs

Processes:

5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exeHost.exe

pid process

1856 5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe
1976 Host.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe

description	pid	process	target process
PID 1856 wrote to memory of 1976	1856	5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe	Host.exe
PID 1856 wrote to memory of 1976	1856	5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe	Host.exe
PID 1856 wrote to memory of 1976	1856	5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe	Host.exe
PID 1856 wrote to memory of 1976	1856	5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe
"C:\Users\Admin\AppData\Local\Temp\5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Users\Admin\AppData\Local\Temp\5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
216KB

MD5
4c0d71906fa0cf0bda68d486000044e4

SHA1
fa991f76283138530a5a7bcb7b4e7dedd9e7e567

SHA256
5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c

SHA512
f636adb457276398158006956b27dd4cb742a01c04a511f685cca04bef61444662c9362ceee052f8676b00f0042fdf0f1b9b5f5891085d4ae1c15f47c6f19e4c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
216KB

MD5
4c0d71906fa0cf0bda68d486000044e4

SHA1
fa991f76283138530a5a7bcb7b4e7dedd9e7e567

SHA256
5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c

SHA512
f636adb457276398158006956b27dd4cb742a01c04a511f685cca04bef61444662c9362ceee052f8676b00f0042fdf0f1b9b5f5891085d4ae1c15f47c6f19e4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Banal.vbe

Filesize
384B

MD5
347c177c67a16509daeb5c67f270a74e

SHA1
efa6270088dcf5960b69817ee94f9ea36bfd6e66

SHA256
266512818b0f3d60c2686cf43aec7266766838fcdd4544e9faa6daf5ff91ea5e

SHA512
15bfcb81c83e21ff6f8536b92b5d6ad22bb9e307b29feb7faf61fef926c0d511eb115f507c3c0ed1a5522abaf36d1478a35c43cd33328fb7a247a788edc36eb9

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
216KB

MD5
4c0d71906fa0cf0bda68d486000044e4

SHA1
fa991f76283138530a5a7bcb7b4e7dedd9e7e567

SHA256
5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c

SHA512
f636adb457276398158006956b27dd4cb742a01c04a511f685cca04bef61444662c9362ceee052f8676b00f0042fdf0f1b9b5f5891085d4ae1c15f47c6f19e4c

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
216KB

MD5
4c0d71906fa0cf0bda68d486000044e4

SHA1
fa991f76283138530a5a7bcb7b4e7dedd9e7e567

SHA256
5725b136e0831c23a4c3a7394ff74ad7dd627205d006b65659ea0ba56af43e5c

SHA512
f636adb457276398158006956b27dd4cb742a01c04a511f685cca04bef61444662c9362ceee052f8676b00f0042fdf0f1b9b5f5891085d4ae1c15f47c6f19e4c

Download Submit
memory/1856-67-0x0000000077800000-0x0000000077980000-memory.dmp

Filesize
1.5MB

Download
memory/1856-69-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1856-56-0x00000000761D1000-0x00000000761D3000-memory.dmp

Filesize
8KB

Download
memory/1856-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-64-0x0000000000000000-mapping.dmp

Download
memory/1976-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1976-78-0x0000000077800000-0x0000000077980000-memory.dmp

Filesize
1.5MB

Download
memory/1976-79-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads