netwire | 1484-57-0x00000000000B0000-0x0000000000100000-memory[.]dmp | Triage

Sharing

General

Target

1484-57-0x00000000000B0000-0x0000000000100000-memory.dmp
Size

320KB
MD5

d82328c23ca19ce553843efb6b1bbc2e
SHA1

f9732f45bebb78118e9f0e827b970b161c1643f0
SHA256

9d1237be2eeaa044bf638cdf1dfc593f9c25b441db93217f3458e820c73f1272
SHA512

0294b79a18fc652860fd993cddfae644e8b6a003cab5ae8477c73c13ed881283eb4f2070defdf0a8fc5d0e305c65df9599ff8f84f62b35a89cbddb2158415ff5
SSDEEP

6144:tiAj4Yvs14NtwkIlfpC67B/eXZeta0gvm7boBqqDyIOw8B:tBj4YvCXfpC67B/eXZeMOqkHB

Score

10^/10

rat netwire

Malware Config

Extracted

Family

netwire

C2

musaad1995-60255.portmap.host:60255

Attributes

activex_autorun
false
activex_key
{0Q55O7T5-7PG8-1407-8Y6O-8DDRN68HAD86}
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Local\Microsoft\OneDrive\OneDrive.exe
keylogger_dir
OneDrive.lnk
lock_executable
false
mutex
vMnKWPIY
offline_keylogger
false
password
999000
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs
rat

Processes:

resource yara_rule

sample netwire
Netwire family
netwire

Files

1484-57-0x00000000000B0000-0x0000000000100000-memory.dmp
.exe windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 208KB - Virtual size: 208KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ