netwire | db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0

General

Target

db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
Size

1.0MB
MD5

86afe7748042ad36d8ad98bc9cd231d7
SHA1

595630681e9a397085925fe2219a79c06baa7de9
SHA256

db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0
SHA512

04884dc39568b100899238937249f9ad0c897f573cda1ff849df6b701699c9d526ab8e208ec42a9ad1c275fe83fe809dbb7e3f007842fb59cbe13a0a7ed0ab6f

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

80.66.64.136:6671

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
lock_executable
false
offline_keylogger
false
password
kongking
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1724-140-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/1724-141-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/1724-142-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/1724-143-0x0000000000400000-0x0000000000450000-memory.dmp	netwire
behavioral1/memory/1724-144-0x0000000000400000-0x0000000000450000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe

description	pid	process	target process
PID 3196 set thread context of 1724	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe

pid	process
3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe

description pid process

Token: SeDebugPrivilege 3196 db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe

description	pid	process
Token: SeDebugPrivilege	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe

description	pid	process	target process
PID 3196 wrote to memory of 636	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
PID 3196 wrote to memory of 636	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
PID 3196 wrote to memory of 636	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
PID 3196 wrote to memory of 1724	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
PID 3196 wrote to memory of 1724	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
PID 3196 wrote to memory of 1724	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
PID 3196 wrote to memory of 1724	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
PID 3196 wrote to memory of 1724	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
PID 3196 wrote to memory of 1724	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
PID 3196 wrote to memory of 1724	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
PID 3196 wrote to memory of 1724	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
PID 3196 wrote to memory of 1724	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
PID 3196 wrote to memory of 1724	3196	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe	db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe

C:\Users\Admin\AppData\Local\Temp\db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
"C:\Users\Admin\AppData\Local\Temp\db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196

C:\Users\Admin\AppData\Local\Temp\db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
"C:\Users\Admin\AppData\Local\Temp\db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe"
2⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe
"C:\Users\Admin\AppData\Local\Temp\db1f67662e5ca9e31d8b97e81868b9aac471202866dc442e3617613ab53fa2f0.exe"
2⤵
PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-138-0x0000000000000000-mapping.dmp

Download
memory/1724-141-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1724-139-0x0000000000000000-mapping.dmp

Download
memory/1724-140-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1724-142-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1724-143-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1724-144-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3196-134-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/3196-135-0x0000000004E50000-0x0000000004E5A000-memory.dmp

Filesize
40KB

Download
memory/3196-136-0x0000000008C90000-0x0000000008D2C000-memory.dmp

Filesize
624KB

Download
memory/3196-137-0x0000000000AD0000-0x0000000000B36000-memory.dmp

Filesize
408KB

Download
memory/3196-133-0x0000000005420000-0x00000000059C4000-memory.dmp

Filesize
5.6MB

Download
memory/3196-132-0x0000000000390000-0x0000000000498000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads