netwire | 8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654

General

Target

8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
Size

422KB
MD5

e6628f83f72ca99eea237c34a99dabac
SHA1

9d9754b3a4e912944f688d4627e942608dfcb613
SHA256

8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654
SHA512

92cfb0950e9d246c7af9b73280c39bbc6ce224fcacf91ef0a3ac8435c2269caa691c48bf7ce64cae2b1feacc0025f9608ed8e3574a8ff98bbe7f3de0d937d181
SSDEEP

6144:FnSClxLCbLhPJgPiIFr61pqJClxLCbLhPJgPi8oWK3DuW3pDzsQJXloSQ:FnSWRCROiQ6HqJWRCROi9Pzu0ds8XeS

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2880-135-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2880-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2880-141-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/2724-149-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

2416 Host.exe
2724 Host.exe

pid	process
2416	Host.exe
2724	Host.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exeHost.exe

description	pid	process	target process
PID 4588 set thread context of 2880	4588	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
PID 2416 set thread context of 2724	2416	Host.exe	Host.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exeHost.exe

description	pid	process
Token: SeDebugPrivilege	4588	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
Token: SeDebugPrivilege	2416	Host.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exeHost.exe

description	pid	process	target process
PID 4588 wrote to memory of 2880	4588	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
PID 4588 wrote to memory of 2880	4588	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
PID 4588 wrote to memory of 2880	4588	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
PID 4588 wrote to memory of 2880	4588	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
PID 4588 wrote to memory of 2880	4588	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
PID 4588 wrote to memory of 2880	4588	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
PID 4588 wrote to memory of 2880	4588	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
PID 4588 wrote to memory of 2880	4588	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
PID 2880 wrote to memory of 2416	2880	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe	Host.exe
PID 2880 wrote to memory of 2416	2880	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe	Host.exe
PID 2880 wrote to memory of 2416	2880	8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe	Host.exe
PID 2416 wrote to memory of 2724	2416	Host.exe	Host.exe
PID 2416 wrote to memory of 2724	2416	Host.exe	Host.exe
PID 2416 wrote to memory of 2724	2416	Host.exe	Host.exe
PID 2416 wrote to memory of 2724	2416	Host.exe	Host.exe
PID 2416 wrote to memory of 2724	2416	Host.exe	Host.exe
PID 2416 wrote to memory of 2724	2416	Host.exe	Host.exe
PID 2416 wrote to memory of 2724	2416	Host.exe	Host.exe
PID 2416 wrote to memory of 2724	2416	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
"C:\Users\Admin\AppData\Local\Temp\8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588

C:\Users\Admin\AppData\Local\Temp\8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe
"C:\Users\Admin\AppData\Local\Temp\8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:2724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
422KB

MD5
e6628f83f72ca99eea237c34a99dabac

SHA1
9d9754b3a4e912944f688d4627e942608dfcb613

SHA256
8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654

SHA512
92cfb0950e9d246c7af9b73280c39bbc6ce224fcacf91ef0a3ac8435c2269caa691c48bf7ce64cae2b1feacc0025f9608ed8e3574a8ff98bbe7f3de0d937d181

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
422KB

MD5
e6628f83f72ca99eea237c34a99dabac

SHA1
9d9754b3a4e912944f688d4627e942608dfcb613

SHA256
8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654

SHA512
92cfb0950e9d246c7af9b73280c39bbc6ce224fcacf91ef0a3ac8435c2269caa691c48bf7ce64cae2b1feacc0025f9608ed8e3574a8ff98bbe7f3de0d937d181

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
422KB

MD5
e6628f83f72ca99eea237c34a99dabac

SHA1
9d9754b3a4e912944f688d4627e942608dfcb613

SHA256
8d74453079ccde24cfa1ffd5b6524d568362b6df211a5fb0f9fd8a9a0f379654

SHA512
92cfb0950e9d246c7af9b73280c39bbc6ce224fcacf91ef0a3ac8435c2269caa691c48bf7ce64cae2b1feacc0025f9608ed8e3574a8ff98bbe7f3de0d937d181

Download Submit
memory/2416-151-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/2416-150-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/2416-139-0x0000000000000000-mapping.dmp

Download
memory/2416-143-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/2724-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2724-144-0x0000000000000000-mapping.dmp

Download
memory/2880-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2880-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2880-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2880-134-0x0000000000000000-mapping.dmp

Download
memory/4588-138-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4588-132-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/4588-133-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads