netwire | 214751a0d73e0aa9a6f5c010fd3c4fd45d5a2e4f96db8c2875355c399ff3a5bc

General

Target

SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
Size

412KB
MD5

afa993ae036de690642a6275a3053ede
SHA1

b2bdb616a2f6b8eb2c59340ede249e1b109ba5e7
SHA256

214751a0d73e0aa9a6f5c010fd3c4fd45d5a2e4f96db8c2875355c399ff3a5bc
SHA512

a1f7737a09762d69383db25e32284b1682d71c974767329537e10873703bc0ec2ac4ef310dd53633efc74f498dc2ceef78de9196f12a9039a3a5daf36633a36b

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

194.5.98.178:3384

194.5.98.178:3385

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
lovewin1
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1632-61-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1632-62-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1632-63-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1632-65-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1632-66-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1632-67-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1632-70-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1632-71-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe

description	pid	process	target process
PID 1500 set thread context of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe

description pid process

Token: SeDebugPrivilege 1500 SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe

description	pid	process
Token: SeDebugPrivilege	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe

description	pid	process	target process
PID 1500 wrote to memory of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
PID 1500 wrote to memory of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
PID 1500 wrote to memory of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
PID 1500 wrote to memory of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
PID 1500 wrote to memory of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
PID 1500 wrote to memory of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
PID 1500 wrote to memory of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
PID 1500 wrote to memory of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
PID 1500 wrote to memory of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
PID 1500 wrote to memory of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
PID 1500 wrote to memory of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
PID 1500 wrote to memory of 1632	1500	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe	SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Mardom.MN.10.9492.exe"
2⤵
PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-54-0x0000000000E20000-0x0000000000E8C000-memory.dmp

Filesize
432KB

Download
memory/1500-55-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1632-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-67-0x000000000040242D-mapping.dmp

Download
memory/1632-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads