netwire | 09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd

Analysis

max time kernel
73s
max time network
123s
platform
windows10-1703_x64
resource
win10-20220718-en
resource tags

arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system
submitted
02-08-2022 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd.exe
Size

160KB
MD5

3564b2127c519a9e39b63f0e6994a3d1
SHA1

158c22dea6eb92f518af7ea947e08521a904e3ad
SHA256

09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd
SHA512

37bdd044469917c500a4d4cfc8b8280207198be956bb208efdac7a74dc3a49b97df237885ece8bf8d3e0c9642156c24285e9ed8fa27adad32adbde6613fc5029

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

37.0.14.206:3384

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
Password234
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\Host.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

4488 Host.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4488	Host.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd.exe

description	pid	process	target process
PID 2072 wrote to memory of 4488	2072	09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd.exe	Host.exe
PID 2072 wrote to memory of 4488	2072	09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd.exe	Host.exe
PID 2072 wrote to memory of 4488	2072	09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd.exe
"C:\Users\Admin\AppData\Local\Temp\09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
2⤵
- Executes dropped EXE
PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
160KB

MD5
3564b2127c519a9e39b63f0e6994a3d1

SHA1
158c22dea6eb92f518af7ea947e08521a904e3ad

SHA256
09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd

SHA512
37bdd044469917c500a4d4cfc8b8280207198be956bb208efdac7a74dc3a49b97df237885ece8bf8d3e0c9642156c24285e9ed8fa27adad32adbde6613fc5029

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
160KB

MD5
3564b2127c519a9e39b63f0e6994a3d1

SHA1
158c22dea6eb92f518af7ea947e08521a904e3ad

SHA256
09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd

SHA512
37bdd044469917c500a4d4cfc8b8280207198be956bb208efdac7a74dc3a49b97df237885ece8bf8d3e0c9642156c24285e9ed8fa27adad32adbde6613fc5029

Download Submit
memory/2072-119-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-120-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-118-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-121-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-117-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-122-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-123-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-124-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-125-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-126-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-127-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-128-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-130-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-131-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-129-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-133-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-132-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-135-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-136-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-138-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-139-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-137-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-141-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-140-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-134-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-142-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-143-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-145-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-147-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-146-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-148-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-149-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-144-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-150-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-151-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-152-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-153-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-154-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-155-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-156-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-157-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-158-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-159-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-160-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-161-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-162-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/2072-163-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-164-0x0000000000000000-mapping.dmp

Download
memory/4488-167-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-168-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-169-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-166-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-170-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-171-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-175-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-174-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-172-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-176-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-178-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-177-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-179-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-180-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-181-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-183-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/4488-182-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download