netwire | 98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd

Analysis

max time kernel
267s
max time network
367s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
Size

932KB
MD5

5bdbd0d69c232c6aa19fed358cb1df55
SHA1

049c2fa22106d59d2c7ecfab81590f184dc8c7e2
SHA256

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd
SHA512

9da915e5369f731f62b16a9d1b63592faf024e250c32be0aa07b45e3a1a1abd0e5bb9ee9825f67dfa2d10326be99cdfa2a9f1cd505fa964bcd7732d16e3dcabc
SSDEEP

12288:Qtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga+lJ1JJ6A:Qtb20pkaCqT5TBWgNQ7aIFJ6A

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/680-62-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/680-63-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/680-66-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/680-69-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1936-82-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1936-87-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

276 Host.exe
540 Host.exe
1936 Host.exe
Loads dropped DLL 1 IoCs

Processes:

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe

pid process

680 98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe

pid	process
276	Host.exe
540	Host.exe
1936	Host.exe

pid	process
680	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exeHost.exe

description	pid	process	target process
PID 1392 set thread context of 680	1392	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 540 set thread context of 1936	540	Host.exe	Host.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exeHost.exe

pid process

1392 98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
540 Host.exe

pid	process
1392	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
540	Host.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exeHost.exe

pid	process
1192	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
1192	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
1192	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
1192	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
276	Host.exe
276	Host.exe
276	Host.exe
276	Host.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exeHost.exe

pid	process
1192	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
1192	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
1192	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
1192	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
276	Host.exe
276	Host.exe
276	Host.exe
276	Host.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exeHost.exeHost.exe

description	pid	process	target process
PID 1192 wrote to memory of 1392	1192	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 1192 wrote to memory of 1392	1192	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 1192 wrote to memory of 1392	1192	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 1192 wrote to memory of 1392	1192	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 1392 wrote to memory of 680	1392	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 1392 wrote to memory of 680	1392	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 1392 wrote to memory of 680	1392	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 1392 wrote to memory of 680	1392	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 1392 wrote to memory of 680	1392	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 1392 wrote to memory of 680	1392	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 680 wrote to memory of 276	680	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	Host.exe
PID 680 wrote to memory of 276	680	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	Host.exe
PID 680 wrote to memory of 276	680	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	Host.exe
PID 680 wrote to memory of 276	680	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	Host.exe
PID 276 wrote to memory of 540	276	Host.exe	Host.exe
PID 276 wrote to memory of 540	276	Host.exe	Host.exe
PID 276 wrote to memory of 540	276	Host.exe	Host.exe
PID 276 wrote to memory of 540	276	Host.exe	Host.exe
PID 540 wrote to memory of 1936	540	Host.exe	Host.exe
PID 540 wrote to memory of 1936	540	Host.exe	Host.exe
PID 540 wrote to memory of 1936	540	Host.exe	Host.exe
PID 540 wrote to memory of 1936	540	Host.exe	Host.exe
PID 540 wrote to memory of 1936	540	Host.exe	Host.exe
PID 540 wrote to memory of 1936	540	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
"C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\891611" "C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
"C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:276

C:\Users\Admin\AppData\Roaming\Install\Host.exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\531669" "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
6⤵
- Executes dropped EXE
PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\531669
Filesize
18KB

MD5
143f53a14064672c2560e95d06da6aef

SHA1
2bcef010e56c897c9c02a70e39cc26f1b613d427

SHA256
5caecee41ae222b90eb8675ed16e162c28beffd18a05b25e5fc83c21665ac6e9

SHA512
2ff3ce014807b607eca7d3ce85cad8f3f5eb5f2c45bbf102207b4213b5d6212c569f8fcc6a65e46a9f7e2eb40cfccb0166449f2f94f179dc8b1da32b5e860f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\891611
Filesize
18KB

MD5
143f53a14064672c2560e95d06da6aef

SHA1
2bcef010e56c897c9c02a70e39cc26f1b613d427

SHA256
5caecee41ae222b90eb8675ed16e162c28beffd18a05b25e5fc83c21665ac6e9

SHA512
2ff3ce014807b607eca7d3ce85cad8f3f5eb5f2c45bbf102207b4213b5d6212c569f8fcc6a65e46a9f7e2eb40cfccb0166449f2f94f179dc8b1da32b5e860f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl1
Filesize
12KB

MD5
1ec5c292c5cdd0897fdfb74f5cd012c2

SHA1
2a64c270087b8d4fbc3841e0219173574c096a8b

SHA256
6a8574b5f1418de69b850f1a0dd77d8a7917c05e01a67f12e7d150b09c37a090

SHA512
17c4107e359bf901037e7e91b88e5d1acfb9bb4ac7db51cadde5eeeb8cd20ec933f614f678598e899e70d0ccf2522ec7b39721c29c5137f2cea0780d81f5c6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl1
Filesize
12KB

MD5
1ec5c292c5cdd0897fdfb74f5cd012c2

SHA1
2a64c270087b8d4fbc3841e0219173574c096a8b

SHA256
6a8574b5f1418de69b850f1a0dd77d8a7917c05e01a67f12e7d150b09c37a090

SHA512
17c4107e359bf901037e7e91b88e5d1acfb9bb4ac7db51cadde5eeeb8cd20ec933f614f678598e899e70d0ccf2522ec7b39721c29c5137f2cea0780d81f5c6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl2
Filesize
81KB

MD5
539448350c03852dfbf099bc129d6efc

SHA1
8e95392aa43616de618da36e45437397d3eb7fd5

SHA256
e37d79a3af5690844a8389aeb65ddd344e1a1650986eccd918d2c3fba60130df

SHA512
1aa146c79d15f156c2e1563747c242b8b4619f91c0ef70bdbe48efb164e9c6a72b1db2a4d789b108205320821a88ea32e76ec54a95b76ba36d2e5a62f4ab9d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl2
Filesize
81KB

MD5
539448350c03852dfbf099bc129d6efc

SHA1
8e95392aa43616de618da36e45437397d3eb7fd5

SHA256
e37d79a3af5690844a8389aeb65ddd344e1a1650986eccd918d2c3fba60130df

SHA512
1aa146c79d15f156c2e1563747c242b8b4619f91c0ef70bdbe48efb164e9c6a72b1db2a4d789b108205320821a88ea32e76ec54a95b76ba36d2e5a62f4ab9d9c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
932KB

MD5
5bdbd0d69c232c6aa19fed358cb1df55

SHA1
049c2fa22106d59d2c7ecfab81590f184dc8c7e2

SHA256
98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd

SHA512
9da915e5369f731f62b16a9d1b63592faf024e250c32be0aa07b45e3a1a1abd0e5bb9ee9825f67dfa2d10326be99cdfa2a9f1cd505fa964bcd7732d16e3dcabc

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
932KB

MD5
5bdbd0d69c232c6aa19fed358cb1df55

SHA1
049c2fa22106d59d2c7ecfab81590f184dc8c7e2

SHA256
98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd

SHA512
9da915e5369f731f62b16a9d1b63592faf024e250c32be0aa07b45e3a1a1abd0e5bb9ee9825f67dfa2d10326be99cdfa2a9f1cd505fa964bcd7732d16e3dcabc

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
932KB

MD5
5bdbd0d69c232c6aa19fed358cb1df55

SHA1
049c2fa22106d59d2c7ecfab81590f184dc8c7e2

SHA256
98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd

SHA512
9da915e5369f731f62b16a9d1b63592faf024e250c32be0aa07b45e3a1a1abd0e5bb9ee9825f67dfa2d10326be99cdfa2a9f1cd505fa964bcd7732d16e3dcabc

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
932KB

MD5
5bdbd0d69c232c6aa19fed358cb1df55

SHA1
049c2fa22106d59d2c7ecfab81590f184dc8c7e2

SHA256
98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd

SHA512
9da915e5369f731f62b16a9d1b63592faf024e250c32be0aa07b45e3a1a1abd0e5bb9ee9825f67dfa2d10326be99cdfa2a9f1cd505fa964bcd7732d16e3dcabc

Download Submit
\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
932KB

MD5
5bdbd0d69c232c6aa19fed358cb1df55

SHA1
049c2fa22106d59d2c7ecfab81590f184dc8c7e2

SHA256
98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd

SHA512
9da915e5369f731f62b16a9d1b63592faf024e250c32be0aa07b45e3a1a1abd0e5bb9ee9825f67dfa2d10326be99cdfa2a9f1cd505fa964bcd7732d16e3dcabc

Download Submit
memory/276-68-0x0000000000000000-mapping.dmp

Download
memory/540-73-0x0000000000000000-mapping.dmp

Download
memory/680-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/680-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/680-63-0x0000000000402196-mapping.dmp

Download
memory/680-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/680-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1192-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1392-55-0x0000000000000000-mapping.dmp

Download
memory/1936-82-0x0000000000402196-mapping.dmp

Download
memory/1936-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download