netwire | 21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f

General

Target

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
Size

738KB
MD5

4a95e7a9d4b8c642838e304b1f567bce
SHA1

0179ac1ce47a0d5038aa14748a85ad26373fa142
SHA256

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f
SHA512

9b4121849d81407973300c80e4c725d03071b9b93feca7fd7bcb7aef0cd35d80dc7cf747d544a76db764745b31ac889b896987bbe3849a57e1860fa0a7e91729

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1092-133-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/1092-135-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/1092-136-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral2/memory/2028-152-0x0000000000400000-0x000000000041F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

system.exesystem.exe

pid process

3500 system.exe
2028 system.exe

pid	process
3500	system.exe
2028	system.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
File created	C:\Windows\assembly\Desktop.ini	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exesystem.exe

description	pid	process	target process
PID 4060 set thread context of 1092	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 3500 set thread context of 2028	3500	system.exe	system.exe

Drops file in Windows directory 3 IoCs

Processes:

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
File opened for modification	C:\Windows\assembly	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2780 timeout.exe

pid	process
2780	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exesystem.exe

pid	process
4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
3500	system.exe
3500	system.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exesystem.exe

description	pid	process
Token: SeDebugPrivilege	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
Token: 33	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
Token: SeIncBasePriorityPrivilege	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
Token: SeDebugPrivilege	3500	system.exe
Token: 33	3500	system.exe
Token: SeIncBasePriorityPrivilege	3500	system.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exesystem.execmd.exe

description	pid	process	target process
PID 4060 wrote to memory of 1092	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 4060 wrote to memory of 1092	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 4060 wrote to memory of 1092	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 4060 wrote to memory of 1092	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 4060 wrote to memory of 1092	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 4060 wrote to memory of 1092	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 4060 wrote to memory of 1092	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 4060 wrote to memory of 1092	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
PID 4060 wrote to memory of 3500	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	system.exe
PID 4060 wrote to memory of 3500	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	system.exe
PID 4060 wrote to memory of 3500	4060	21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe	system.exe
PID 3500 wrote to memory of 2028	3500	system.exe	system.exe
PID 3500 wrote to memory of 2028	3500	system.exe	system.exe
PID 3500 wrote to memory of 2028	3500	system.exe	system.exe
PID 3500 wrote to memory of 2028	3500	system.exe	system.exe
PID 3500 wrote to memory of 2028	3500	system.exe	system.exe
PID 3500 wrote to memory of 2028	3500	system.exe	system.exe
PID 3500 wrote to memory of 2028	3500	system.exe	system.exe
PID 3500 wrote to memory of 2028	3500	system.exe	system.exe
PID 3500 wrote to memory of 3436	3500	system.exe	cmd.exe
PID 3500 wrote to memory of 3436	3500	system.exe	cmd.exe
PID 3500 wrote to memory of 3436	3500	system.exe	cmd.exe
PID 3436 wrote to memory of 2780	3436	cmd.exe	timeout.exe
PID 3436 wrote to memory of 2780	3436	cmd.exe	timeout.exe
PID 3436 wrote to memory of 2780	3436	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
"C:\Users\Admin\AppData\Local\Temp\21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Users\Admin\AppData\Local\Temp\21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe
"C:\Users\Admin\AppData\Local\Temp\21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f.exe"
2⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\Apples\system.exe
C:\Users\Admin\AppData\Local\Temp\Apples\system.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Local\Temp\Apples\system.exe
"C:\Users\Admin\AppData\Local\Temp\Apples\system.exe"
3⤵
- Executes dropped EXE
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Apples\system.exe.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
4⤵
- Delays execution with timeout.exe
PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Apples\melt.bat

Filesize
206B

MD5
21a46ebd2f4e277b896d9c432f1a14dd

SHA1
0f516085bf41fbedb07206757d2296e900aa8cf1

SHA256
cc6ccd29a0db8713d385063854a57221fb6bd93ac0b276da9cf0058adf3d8d7f

SHA512
1c286a32d9241d65d79f03285fe0bfde8be49454a4083b1304a7d33a51c4c24177162ad0c37e87ea573831d215d09debda08ffb21690be68f3afc871bf983d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apples\system.exe

Filesize
738KB

MD5
4a95e7a9d4b8c642838e304b1f567bce

SHA1
0179ac1ce47a0d5038aa14748a85ad26373fa142

SHA256
21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f

SHA512
9b4121849d81407973300c80e4c725d03071b9b93feca7fd7bcb7aef0cd35d80dc7cf747d544a76db764745b31ac889b896987bbe3849a57e1860fa0a7e91729

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apples\system.exe

Filesize
738KB

MD5
4a95e7a9d4b8c642838e304b1f567bce

SHA1
0179ac1ce47a0d5038aa14748a85ad26373fa142

SHA256
21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f

SHA512
9b4121849d81407973300c80e4c725d03071b9b93feca7fd7bcb7aef0cd35d80dc7cf747d544a76db764745b31ac889b896987bbe3849a57e1860fa0a7e91729

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apples\system.exe

Filesize
738KB

MD5
4a95e7a9d4b8c642838e304b1f567bce

SHA1
0179ac1ce47a0d5038aa14748a85ad26373fa142

SHA256
21dcf18b3949a5a3adfa4be19dd4c177f9ad087bf8e19895c146a076b337a73f

SHA512
9b4121849d81407973300c80e4c725d03071b9b93feca7fd7bcb7aef0cd35d80dc7cf747d544a76db764745b31ac889b896987bbe3849a57e1860fa0a7e91729

Download Submit
C:\Users\Admin\AppData\Local\Temp\Apples\system.exe.bat

Filesize
211B

MD5
403469127eb9502223321b4a9c433cea

SHA1
6ad849d68f5cc12adf1fbe9f1bb673fef2274846

SHA256
01b3e1fd452f49bf6195f8f530aa9ef87c1177632a1443634e8d1920c056009b

SHA512
4d9de06b2980f9dec97b9e889502619fc8776ce6fba6bd438f2a2e1cd883cbddb8a7659195a7db8ae79d8af14a156075199e19fe7c663cc03d2bf0ccc6e48007

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
52KB

MD5
a64daca3cfbcd039df3ec29d3eddd001

SHA1
eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

SHA256
403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

SHA512
b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

Download Submit
memory/1092-133-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1092-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1092-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1092-132-0x0000000000000000-mapping.dmp

Download
memory/2028-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-144-0x0000000000000000-mapping.dmp

Download
memory/2780-151-0x0000000000000000-mapping.dmp

Download
memory/3436-148-0x0000000000000000-mapping.dmp

Download
memory/3500-142-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/3500-140-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/3500-137-0x0000000000000000-mapping.dmp

Download
memory/4060-130-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4060-141-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download
memory/4060-131-0x00000000751D0000-0x0000000075781000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads