netwire | 876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6

General

Target

876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
Size

1.3MB
MD5

9f87dadf4d0571f3e441c9d5911864c8
SHA1

832dfa671b4be3085e997ffd46e0bc243f1f74b8
SHA256

876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6
SHA512

02750caf93c3017ab0b00993b680265cf6166b377379a8ba8f63ee1acb02d528a87b1b54502dfb97fdd31a3d13feda0621d827e238490b2a6c537252ef8b7580

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

185.244.30.254:3361

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2392-135-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

4592 Host.exe

pid	process
4592	Host.exe

Drops startup file 1 IoCs

Processes:

876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sppsvc.url	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe

description	pid	process	target process
PID 4016 set thread context of 2392	4016	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe

pid process

4016 876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exeHost.exe

pid	process
4016	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
4016	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
4016	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
4592	Host.exe
4592	Host.exe
4592	Host.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exeHost.exe

pid	process
4016	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
4016	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
4016	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
4592	Host.exe
4592	Host.exe
4592	Host.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe

description	pid	process	target process
PID 4016 wrote to memory of 2392	4016	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
PID 4016 wrote to memory of 2392	4016	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
PID 4016 wrote to memory of 2392	4016	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
PID 4016 wrote to memory of 2392	4016	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
PID 2392 wrote to memory of 4592	2392	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe	Host.exe
PID 2392 wrote to memory of 4592	2392	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe	Host.exe
PID 2392 wrote to memory of 4592	2392	876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
"C:\Users\Admin\AppData\Local\Temp\876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe
"C:\Users\Admin\AppData\Local\Temp\876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.3MB

MD5
9f87dadf4d0571f3e441c9d5911864c8

SHA1
832dfa671b4be3085e997ffd46e0bc243f1f74b8

SHA256
876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6

SHA512
02750caf93c3017ab0b00993b680265cf6166b377379a8ba8f63ee1acb02d528a87b1b54502dfb97fdd31a3d13feda0621d827e238490b2a6c537252ef8b7580

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
1.3MB

MD5
9f87dadf4d0571f3e441c9d5911864c8

SHA1
832dfa671b4be3085e997ffd46e0bc243f1f74b8

SHA256
876da78bf436f68353ab2cf07e68a195843e19c147fdef83add2efc1352e66f6

SHA512
02750caf93c3017ab0b00993b680265cf6166b377379a8ba8f63ee1acb02d528a87b1b54502dfb97fdd31a3d13feda0621d827e238490b2a6c537252ef8b7580

Download Submit
memory/2392-131-0x0000000000000000-mapping.dmp

Download
memory/2392-135-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4016-130-0x00000000019B0000-0x00000000019D2000-memory.dmp

Filesize
136KB

Download
memory/4016-132-0x0000000001A80000-0x0000000001AA1000-memory.dmp

Filesize
132KB

Download
memory/4592-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads