netwire | 97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e

Analysis

max time kernel
77s
max time network
82s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe
Size

107KB
MD5

bf33aed1340146e9499c756caf71def6
SHA1

351384c18969a0b2d5271d4769af549e4e56d26f
SHA256

97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e
SHA512

25598109743182f7e6100d67cac12663794150878c3ff3feed4e88a0c3acd72bebf71f6caf7efd5d0405f4676952bddcf7aa6ee640b13a04c6cd4c3f783a5be4

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

45.138.157.98:3586

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
PsYeHHVA
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
\Users\Admin\AppData\Roaming\Install\Host.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

1952 Host.exe

pid	process
1952	Host.exe

Loads dropped DLL 2 IoCs

Processes:

97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe

pid	process
1960	97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe
1960	97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe

description	pid	process	target process
PID 1960 wrote to memory of 1952	1960	97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe	Host.exe
PID 1960 wrote to memory of 1952	1960	97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe	Host.exe
PID 1960 wrote to memory of 1952	1960	97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe
"C:\Users\Admin\AppData\Local\Temp\97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
2⤵
- Executes dropped EXE
PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
107KB

MD5
bf33aed1340146e9499c756caf71def6

SHA1
351384c18969a0b2d5271d4769af549e4e56d26f

SHA256
97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e

SHA512
25598109743182f7e6100d67cac12663794150878c3ff3feed4e88a0c3acd72bebf71f6caf7efd5d0405f4676952bddcf7aa6ee640b13a04c6cd4c3f783a5be4

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
107KB

MD5
bf33aed1340146e9499c756caf71def6

SHA1
351384c18969a0b2d5271d4769af549e4e56d26f

SHA256
97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e

SHA512
25598109743182f7e6100d67cac12663794150878c3ff3feed4e88a0c3acd72bebf71f6caf7efd5d0405f4676952bddcf7aa6ee640b13a04c6cd4c3f783a5be4

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe

Filesize
107KB

MD5
bf33aed1340146e9499c756caf71def6

SHA1
351384c18969a0b2d5271d4769af549e4e56d26f

SHA256
97566bb258ee32164c2fb8370e2877ef88c9f0e4ea9e9456153d76f020a8ab0e

SHA512
25598109743182f7e6100d67cac12663794150878c3ff3feed4e88a0c3acd72bebf71f6caf7efd5d0405f4676952bddcf7aa6ee640b13a04c6cd4c3f783a5be4

Download Submit
memory/1952-57-0x0000000000000000-mapping.dmp

Download
memory/1960-54-0x000007FEFB521000-0x000007FEFB523000-memory.dmp

Filesize
8KB

Download