netwire | bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f

Analysis

max time kernel
161s
max time network
68s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 23:27

Target

bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe
Size

162KB
MD5

40ee2d80f694274625a75229c35aaeb7
SHA1

80608e22a36eb029b88adf09a5d00a787d7317d7
SHA256

bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f
SHA512

fc21a33c2946e147b07d22c2935d7307ef3c5f538923ef9e24fa0df9b840598a8060ea25fb9fe4376bfe5fad9962faf784e1a6cbe4826b60aacbf7284a89dbdf
SSDEEP

3072:fWYxd5le5TlUW2l969XozjN37wcumC8b6HpladaGFS+RRHlOHdfln:lp2H2o9qjFkcLC8S+Hk+/kF

Score

10^/10

NetWire RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/1076-62-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1076-66-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1076-68-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/1076-72-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1076-73-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\.Identifier	svchost.exe
File opened for modification	C:\Windows\SysWOW64\.Identifier	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1804 set thread context of 1076	1804	bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe	27

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 1076	1804	bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe	27
PID 1804 wrote to memory of 1076	1804	bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe	27
PID 1804 wrote to memory of 1076	1804	bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe	27
PID 1804 wrote to memory of 1076	1804	bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe	27
PID 1804 wrote to memory of 1076	1804	bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe	27
PID 1804 wrote to memory of 1076	1804	bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe	27
PID 1804 wrote to memory of 1076	1804	bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe	27
PID 1804 wrote to memory of 1076	1804	bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe	27
PID 1804 wrote to memory of 1076	1804	bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe	27

C:\Users\Admin\AppData\Local\Temp\bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe
"C:\Users\Admin\AppData\Local\Temp\bc93f4302c4dbb67a606a3cc7ebd948079c89a9a43e421854854b718ef63a92f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - Drops file in System32 directory
  PID:1076

memory/1076-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1076-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1076-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1076-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1076-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1076-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1076-73-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1804-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1804-55-0x0000000073FC0000-0x000000007456B000-memory.dmp

Filesize
5.7MB

Download
memory/1804-70-0x0000000073FC0000-0x000000007456B000-memory.dmp

Filesize
5.7MB

Download