netwire | 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9

Analysis

max time kernel
146s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe
Size

924KB
MD5

880ca8b15d56cb742217ba3ce2f22b14
SHA1

8109d350ef22987756d142cfb39abe4e28573b0d
SHA256

2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9
SHA512

c5e287c92f575fcba2cf08121627690103f812fd3e92f65a0a2629f58645335e85e4ff51d4aa8e967e8e95615fa2f1541e1f4e38ec2b7d4d63245c9b12345f63
SSDEEP

12288:769WY6/b3qvL7si6BYdLl9Ir+Jsh9nGk3CL6d6T4AHW/UN28IGWCvXZGe:+L+3ALAi39z0DC06TDHW/UNHJn/n

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/764-64-0x0000000000400000-0x000000000041E000-memory.dmp netwire
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

detect.exedetect.exe

pid process

696 detect.exe
764 detect.exe
Drops startup file 1 IoCs

Processes:

detect.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs detect.exe
Loads dropped DLL 2 IoCs

Processes:

2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe

pid process

1388 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe
1388 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

detect.exe

description pid process target process

PID 696 set thread context of 764 696 detect.exe detect.exe
NTFS ADS 1 IoCs

Processes:

2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe:ZoneIdentifier 2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe

resource	yara_rule
behavioral1/memory/764-64-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

pid	process
696	detect.exe
764	detect.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ID Detector.vbs	detect.exe

description	pid	process	target process
PID 696 set thread context of 764	696	detect.exe	detect.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe:ZoneIdentifier	2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exedetect.exe

pid	process
1388	2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe
1388	2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe
1388	2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe
1388	2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe
1388	2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe
696	detect.exe
696	detect.exe
696	detect.exe
696	detect.exe
696	detect.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

detect.exe

pid process

696 detect.exe
696 detect.exe

pid	process
696	detect.exe
696	detect.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exedetect.exe

description	pid	process	target process
PID 1388 wrote to memory of 696	1388	2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe	detect.exe
PID 1388 wrote to memory of 696	1388	2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe	detect.exe
PID 1388 wrote to memory of 696	1388	2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe	detect.exe
PID 1388 wrote to memory of 696	1388	2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe	detect.exe
PID 696 wrote to memory of 764	696	detect.exe	detect.exe
PID 696 wrote to memory of 764	696	detect.exe	detect.exe
PID 696 wrote to memory of 764	696	detect.exe	detect.exe
PID 696 wrote to memory of 764	696	detect.exe	detect.exe

C:\Users\Admin\AppData\Local\Temp\2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe
"C:\Users\Admin\AppData\Local\Temp\2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:696

C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
"C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe"
3⤵
- Executes dropped EXE
PID:764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
Filesize
924KB

MD5
880ca8b15d56cb742217ba3ce2f22b14

SHA1
8109d350ef22987756d142cfb39abe4e28573b0d

SHA256
2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9

SHA512
c5e287c92f575fcba2cf08121627690103f812fd3e92f65a0a2629f58645335e85e4ff51d4aa8e967e8e95615fa2f1541e1f4e38ec2b7d4d63245c9b12345f63

Download Submit
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
Filesize
924KB

MD5
880ca8b15d56cb742217ba3ce2f22b14

SHA1
8109d350ef22987756d142cfb39abe4e28573b0d

SHA256
2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9

SHA512
c5e287c92f575fcba2cf08121627690103f812fd3e92f65a0a2629f58645335e85e4ff51d4aa8e967e8e95615fa2f1541e1f4e38ec2b7d4d63245c9b12345f63

Download Submit
C:\Users\Admin\AppData\Roaming\ID Detector\detect.exe
Filesize
924KB

MD5
880ca8b15d56cb742217ba3ce2f22b14

SHA1
8109d350ef22987756d142cfb39abe4e28573b0d

SHA256
2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9

SHA512
c5e287c92f575fcba2cf08121627690103f812fd3e92f65a0a2629f58645335e85e4ff51d4aa8e967e8e95615fa2f1541e1f4e38ec2b7d4d63245c9b12345f63

Download Submit
\Users\Admin\AppData\Roaming\ID Detector\detect.exe
Filesize
924KB

MD5
880ca8b15d56cb742217ba3ce2f22b14

SHA1
8109d350ef22987756d142cfb39abe4e28573b0d

SHA256
2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9

SHA512
c5e287c92f575fcba2cf08121627690103f812fd3e92f65a0a2629f58645335e85e4ff51d4aa8e967e8e95615fa2f1541e1f4e38ec2b7d4d63245c9b12345f63

Download Submit
\Users\Admin\AppData\Roaming\ID Detector\detect.exe
Filesize
924KB

MD5
880ca8b15d56cb742217ba3ce2f22b14

SHA1
8109d350ef22987756d142cfb39abe4e28573b0d

SHA256
2fa74537582a2a72b07847c6b16a61b70fec38038af88e8dbf57fbeddd8237b9

SHA512
c5e287c92f575fcba2cf08121627690103f812fd3e92f65a0a2629f58645335e85e4ff51d4aa8e967e8e95615fa2f1541e1f4e38ec2b7d4d63245c9b12345f63

Download Submit
memory/696-57-0x0000000000000000-mapping.dmp

Download
memory/764-61-0x00000000004021DA-mapping.dmp

Download
memory/764-64-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1388-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download