netwire | 1004-138-0x0000000000400000-0x0000000000450000-memory[.]dmp | Triage

Sharing

General

Target

1004-138-0x0000000000400000-0x0000000000450000-memory.dmp
Size

320KB
MD5

131a0aac1d37476ab179df13fd059fdf
SHA1

b0f9f352cb500b1f81bf430d94e2950eb6e72c0b
SHA256

c76b9e2581ff21a6e9808ae03316f263ae76909fcac4e7e7e0af4a3b12f89afb
SHA512

b1b09ffce305a08a9b2684a082e1a4e1a9c9839ae471e714e581aaf83768d719551e6d989746404a8761db728a06c08a62bfeee193d84f39f7c5f6bcce52fb3b
SSDEEP

6144:ebhnot4+sbOAtbkfHLDiT6OzR8Q0l+/NyqRKbhoXqqD8X78B:elnot4+UwLDiT6OzR8llAgqxB

Score

10^/10

rat netwire

Malware Config

Extracted

Family

netwire

C2

54.145.6.146:443

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
MSOffice-%Rand%
lock_executable
false
mutex
IERXehpS
offline_keylogger
false
password
a1cap0ne@1960s
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs
rat

Processes:

resource yara_rule

sample netwire
Netwire family
netwire

Files

1004-138-0x0000000000400000-0x0000000000450000-memory.dmp
.exe windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 208KB - Virtual size: 208KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 49KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ