netwire | e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e

General

Target

e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
Size

810KB
MD5

fa559220925eea2742d7b00a74d51bb2
SHA1

b3ce3b12cb42e539c6ed5a30c970829ade27927e
SHA256

e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e
SHA512

53d6659a379fd99cede23c692ed946a0f0584c89d3fd56b1d75b44ffc081aa663a23b76997104633884a1c69cc8f12a9b156f05d99b49951f9b727563a25d1ee
SSDEEP

12288:7Afvcc87YJg6IdFy9TMrExB/o+++9ei2UQVKjTRgQnhzeFozePyKfH1aw:7/CeFcTMrExxHthnkOMH1a

Score

10^/10

netwire botnet persistence rat stealer

Malware Config

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5040-147-0x0000000000400000-0x0000000000418000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\random_string = "C:\\Users\\Admin\\AppData\\Roaming\\IMJDC.exe"	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\IMJDC0 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe"	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\IMJDC1 = "random_string"	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exee10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe

description	pid	process	target process
PID 1592 set thread context of 1236	1592	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1236 set thread context of 5040	1236	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exee10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe

C:\Users\Admin\AppData\Local\Temp\e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
"C:\Users\Admin\AppData\Local\Temp\e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
"C:\Users\Admin\AppData\Local\Temp\e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
"C:\Users\Admin\AppData\Local\Temp\e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe"
3⤵
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe.log
Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
memory/1236-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1236-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1236-145-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/1236-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1236-137-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1236-134-0x0000000000000000-mapping.dmp

Download
memory/1236-141-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/1592-139-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/1592-133-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/1592-132-0x00000000746F0000-0x0000000074CA1000-memory.dmp

Filesize
5.7MB

Download
memory/5040-140-0x0000000000000000-mapping.dmp

Download
memory/5040-142-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5040-146-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5040-147-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

description	pid	process	target process
PID 1592 wrote to memory of 1236	1592	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1592 wrote to memory of 1236	1592	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1592 wrote to memory of 1236	1592	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1592 wrote to memory of 1236	1592	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1592 wrote to memory of 1236	1592	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1592 wrote to memory of 1236	1592	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1592 wrote to memory of 1236	1592	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1592 wrote to memory of 1236	1592	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1592 wrote to memory of 1236	1592	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1592 wrote to memory of 1236	1592	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1236 wrote to memory of 5040	1236	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1236 wrote to memory of 5040	1236	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1236 wrote to memory of 5040	1236	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1236 wrote to memory of 5040	1236	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1236 wrote to memory of 5040	1236	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1236 wrote to memory of 5040	1236	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1236 wrote to memory of 5040	1236	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1236 wrote to memory of 5040	1236	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe
PID 1236 wrote to memory of 5040	1236	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe	e10d4c8e97df9a2bce4ea3bc841646b1a15b579071c494acbcd604f0c09cfe7e.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads