netwire | 0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b

General

Target

0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
Size

124KB
MD5

fa9e61f2139112fe8ed6dbcd4e49d462
SHA1

a524b57b42bbb0962e66197b37ffbda6bc44c985
SHA256

0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b
SHA512

c8a6af6178f3dc02e23d3c6b8084060e8a3556e3064c893210d5e2e9af7dcc42fd6b15b388710a27fb31ac604f99122b03898f83970ab15483f3bd05782704b1
SSDEEP

3072:NdkI7wp1d9HHuyiVB9N45y7W88V7ZWjN0+qLIDJ:NSphnub9N45XcBzqsD

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1620-61-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1620-63-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1620-64-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/1620-67-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1620-71-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1300-84-0x00000000004021DA-mapping.dmp	netwire
behavioral1/memory/1300-90-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1300-91-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

Host.exeHost.exe

pid process

1120 Host.exe
1300 Host.exe
Loads dropped DLL 1 IoCs

Processes:

0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe

pid process

1620 0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe

pid	process
1120	Host.exe
1300	Host.exe

pid	process
1620	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exeHost.exe

description	pid	process	target process
PID 940 set thread context of 1620	940	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
PID 1120 set thread context of 1300	1120	Host.exe	Host.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exeHost.exe

description	pid	process	target process
PID 940 wrote to memory of 1620	940	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
PID 940 wrote to memory of 1620	940	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
PID 940 wrote to memory of 1620	940	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
PID 940 wrote to memory of 1620	940	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
PID 940 wrote to memory of 1620	940	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
PID 940 wrote to memory of 1620	940	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
PID 940 wrote to memory of 1620	940	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
PID 940 wrote to memory of 1620	940	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
PID 940 wrote to memory of 1620	940	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
PID 1620 wrote to memory of 1120	1620	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	Host.exe
PID 1620 wrote to memory of 1120	1620	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	Host.exe
PID 1620 wrote to memory of 1120	1620	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	Host.exe
PID 1620 wrote to memory of 1120	1620	0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe	Host.exe
PID 1120 wrote to memory of 1300	1120	Host.exe	Host.exe
PID 1120 wrote to memory of 1300	1120	Host.exe	Host.exe
PID 1120 wrote to memory of 1300	1120	Host.exe	Host.exe
PID 1120 wrote to memory of 1300	1120	Host.exe	Host.exe
PID 1120 wrote to memory of 1300	1120	Host.exe	Host.exe
PID 1120 wrote to memory of 1300	1120	Host.exe	Host.exe
PID 1120 wrote to memory of 1300	1120	Host.exe	Host.exe
PID 1120 wrote to memory of 1300	1120	Host.exe	Host.exe
PID 1120 wrote to memory of 1300	1120	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
"C:\Users\Admin\AppData\Local\Temp\0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe
"C:\Users\Admin\AppData\Local\Temp\0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
PID:1300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
124KB

MD5
fa9e61f2139112fe8ed6dbcd4e49d462

SHA1
a524b57b42bbb0962e66197b37ffbda6bc44c985

SHA256
0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b

SHA512
c8a6af6178f3dc02e23d3c6b8084060e8a3556e3064c893210d5e2e9af7dcc42fd6b15b388710a27fb31ac604f99122b03898f83970ab15483f3bd05782704b1

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
124KB

MD5
fa9e61f2139112fe8ed6dbcd4e49d462

SHA1
a524b57b42bbb0962e66197b37ffbda6bc44c985

SHA256
0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b

SHA512
c8a6af6178f3dc02e23d3c6b8084060e8a3556e3064c893210d5e2e9af7dcc42fd6b15b388710a27fb31ac604f99122b03898f83970ab15483f3bd05782704b1

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
124KB

MD5
fa9e61f2139112fe8ed6dbcd4e49d462

SHA1
a524b57b42bbb0962e66197b37ffbda6bc44c985

SHA256
0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b

SHA512
c8a6af6178f3dc02e23d3c6b8084060e8a3556e3064c893210d5e2e9af7dcc42fd6b15b388710a27fb31ac604f99122b03898f83970ab15483f3bd05782704b1

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
124KB

MD5
fa9e61f2139112fe8ed6dbcd4e49d462

SHA1
a524b57b42bbb0962e66197b37ffbda6bc44c985

SHA256
0280d01acef062c20eb217b98c954617a08e819e480a64305e0b44585b17178b

SHA512
c8a6af6178f3dc02e23d3c6b8084060e8a3556e3064c893210d5e2e9af7dcc42fd6b15b388710a27fb31ac604f99122b03898f83970ab15483f3bd05782704b1

Download Submit
memory/940-68-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/940-55-0x0000000074230000-0x00000000747DB000-memory.dmp

Filesize
5.7MB

Download
memory/940-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1120-75-0x0000000073C80000-0x000000007422B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-70-0x0000000000000000-mapping.dmp

Download
memory/1120-88-0x0000000073C80000-0x000000007422B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-84-0x00000000004021DA-mapping.dmp

Download
memory/1300-91-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-90-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1620-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1620-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1620-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1620-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1620-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1620-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1620-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1620-64-0x00000000004021DA-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads