netwire | 5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7

General

Target

5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe
Size

539KB
MD5

b7e3a34777762e23320ac86a0dc0e13d
SHA1

144e81a97b40bdd0c084d2bdb3de2f1b8cecc597
SHA256

5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7
SHA512

8b3d4f147115386d6b49c4858a17bf11558b3302ee86fc98033c8a886dd295bdfe8fdd2d064c5856309c3466e9656e19452cc5487a10d4fdf4ef1ce285c0f67a

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1596-66-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral1/memory/1544-69-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1488 Host.exe
1724 Host.exe
Loads dropped DLL 2 IoCs

Processes:

RegAsm.exeRegAsm.exe

pid process

1596 RegAsm.exe
1544 RegAsm.exe

pid	process
1488	Host.exe
1724	Host.exe

pid	process
1596	RegAsm.exe
1544	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe

description	pid	process	target process
PID 980 set thread context of 1596	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 set thread context of 1544	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe

pid	process
980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe
980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exeRegAsm.exeRegAsm.exe

description	pid	process	target process
PID 980 wrote to memory of 1544	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1544	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1544	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1596	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1596	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1596	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1544	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1544	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1544	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1596	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1596	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1596	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1544	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1596	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1596	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 980 wrote to memory of 1544	980	5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe	RegAsm.exe
PID 1596 wrote to memory of 1488	1596	RegAsm.exe	Host.exe
PID 1596 wrote to memory of 1488	1596	RegAsm.exe	Host.exe
PID 1596 wrote to memory of 1488	1596	RegAsm.exe	Host.exe
PID 1596 wrote to memory of 1488	1596	RegAsm.exe	Host.exe
PID 1544 wrote to memory of 1724	1544	RegAsm.exe	Host.exe
PID 1544 wrote to memory of 1724	1544	RegAsm.exe	Host.exe
PID 1544 wrote to memory of 1724	1544	RegAsm.exe	Host.exe
PID 1544 wrote to memory of 1724	1544	RegAsm.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe
"C:\Users\Admin\AppData\Local\Temp\5b3692b40de137cd31116d42ed879e98ffce063ad118c88e83e0eb8eeda720a7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
PID:1724

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/980-55-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/980-56-0x00000000042C0000-0x00000000042F0000-memory.dmp

Filesize
192KB

Download
memory/980-57-0x0000000076A21000-0x0000000076A23000-memory.dmp

Filesize
8KB

Download
memory/980-62-0x00000000005F0000-0x00000000005F3000-memory.dmp

Filesize
12KB

Download
memory/980-54-0x0000000000800000-0x000000000088C000-memory.dmp

Filesize
560KB

Download
memory/1488-68-0x00000000013D0000-0x00000000013E2000-memory.dmp

Filesize
72KB

Download
memory/1488-64-0x0000000000000000-mapping.dmp

Download
memory/1544-69-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1544-59-0x00000000004026D0-mapping.dmp

Download
memory/1596-66-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1596-58-0x00000000004026D0-mapping.dmp

Download
memory/1724-71-0x0000000000000000-mapping.dmp

Download
memory/1724-74-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads