netwire | d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768

Analysis

max time kernel
131s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
31-07-2022 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe
Size

296KB
MD5

970f3b397fa42324f5573b95e61142b8
SHA1

ca75d8928d20b0bc3389685d404b366f335f68d8
SHA256

d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768
SHA512

c98ac113b467d15027d614dd8317f69f3ec270b2c2e4a16a363265c0072fad6e27c10d034ff1293c669284eaf78b787eeccb6bbc07d8bdced5dadd95e64c9602

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3328-144-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral2/memory/3328-143-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral2/memory/3328-150-0x0000000000400000-0x0000000000450000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops file in Windows directory 2 IoCs

Processes:

d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exed5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe
File opened for modification	C:\Windows\win.ini	d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exed5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe

pid	process
2560	d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe
3328	d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe

description	pid	process	target process
PID 2560 wrote to memory of 3328	2560	d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe	d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe
PID 2560 wrote to memory of 3328	2560	d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe	d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe
PID 2560 wrote to memory of 3328	2560	d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe	d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe

C:\Users\Admin\AppData\Local\Temp\d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe
"C:\Users\Admin\AppData\Local\Temp\d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Local\Temp\d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe
"C:\Users\Admin\AppData\Local\Temp\d5a23a943397163bc154dc3fd424ee6ba6022df72804e2c5231eda496515b768.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/2560-135-0x00007FFF9CBF0000-0x00007FFF9CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/2560-136-0x00000000770B0000-0x0000000077253000-memory.dmp

Filesize
1.6MB

Download
memory/2560-134-0x0000000002250000-0x0000000002253000-memory.dmp

Filesize
12KB

Download
memory/2560-140-0x00000000770B0000-0x0000000077253000-memory.dmp

Filesize
1.6MB

Download
memory/3328-142-0x00000000770B0000-0x0000000077253000-memory.dmp

Filesize
1.6MB

Download
memory/3328-137-0x0000000000000000-mapping.dmp

Download
memory/3328-144-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3328-143-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3328-150-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3328-151-0x0000000000730000-0x0000000000733000-memory.dmp

Filesize
12KB

Download
memory/3328-152-0x00007FFF9CBF0000-0x00007FFF9CDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3328-153-0x00000000770B0000-0x0000000077253000-memory.dmp

Filesize
1.6MB

Download
memory/3328-154-0x00000000770B0000-0x0000000077253000-memory.dmp

Filesize
1.6MB

Download