netwire | 738a8ea86d2e8a24daf04932f5c0ac32c7878e9a6db8549f0cd1e75fe708c941

Resubmissions

06-09-2022 05:56

220906-gnbhtsgaa4 10

05-09-2022 05:07

220905-fsaawsbdfp 10

Analysis

max time kernel
140s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2022 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

badf1a99a053035a6ed6543ec7486585.exe
Size

1.8MB
MD5

badf1a99a053035a6ed6543ec7486585
SHA1

8b00a48974353b78e1c8755120c6069e7c2e6978
SHA256

738a8ea86d2e8a24daf04932f5c0ac32c7878e9a6db8549f0cd1e75fe708c941
SHA512

9d9f2889e97ff7ef1d38dc8b14b93017588dd6d4f88d8f31d112efea05656802f14c9a6df47f1cb527cb44e1a8162596c6609f75d630cebf215765ecafd13f69
SSDEEP

24576:RIel6SbNWql25cK7+15umdL/oNI9cccCqA4zkCi05YhBYAwRTT3pP7uqxYpIkYRi:RI26DY6STZQIJQAl2nup

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

jekkd.com:8080

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1968-134-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1968-135-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1968-138-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

badf1a99a053035a6ed6543ec7486585.exe

pid	process
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe
4372	badf1a99a053035a6ed6543ec7486585.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

badf1a99a053035a6ed6543ec7486585.exe

description	pid	process	target process
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe
PID 4372 wrote to memory of 1968	4372	badf1a99a053035a6ed6543ec7486585.exe	pipanel.exe

C:\Users\Admin\AppData\Local\Temp\badf1a99a053035a6ed6543ec7486585.exe
"C:\Users\Admin\AppData\Local\Temp\badf1a99a053035a6ed6543ec7486585.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4372

C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
"C:\Users\Admin\AppData\Local\Temp\badf1a99a053035a6ed6543ec7486585.exe"
2⤵
PID:1968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1968-133-0x0000000000000000-mapping.dmp

Download
memory/1968-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-132-0x0000000002400000-0x000000000247B000-memory.dmp

Filesize
492KB

Download
memory/4372-136-0x0000000002400000-0x000000000247B000-memory.dmp

Filesize
492KB

Download
memory/4372-137-0x00000000025D0000-0x0000000002773000-memory.dmp

Filesize
1.6MB

Download