netwire | 98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
Size

932KB
MD5

5bdbd0d69c232c6aa19fed358cb1df55
SHA1

049c2fa22106d59d2c7ecfab81590f184dc8c7e2
SHA256

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd
SHA512

9da915e5369f731f62b16a9d1b63592faf024e250c32be0aa07b45e3a1a1abd0e5bb9ee9825f67dfa2d10326be99cdfa2a9f1cd505fa964bcd7732d16e3dcabc
SSDEEP

12288:Qtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSga+lJ1JJ6A:Qtb20pkaCqT5TBWgNQ7aIFJ6A

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1784-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1784-139-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1784-142-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 3 IoCs

Processes:

Host.exeHost.exeHost.exe

pid process

3496 Host.exe
3376 Host.exe
3972 Host.exe

pid	process
3496	Host.exe
3376	Host.exe
3972	Host.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exeHost.exe

description	pid	process	target process
PID 4500 set thread context of 1784	4500	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 3376 set thread context of 3972	3376	Host.exe	Host.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4196 3972 WerFault.exe Host.exe

pid	pid_target	process	target process
4196	3972	WerFault.exe	Host.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exeHost.exe

pid	process
4500	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
4500	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
3376	Host.exe
3376	Host.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exeHost.exe

pid	process
2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
3496	Host.exe
3496	Host.exe
3496	Host.exe
3496	Host.exe
3496	Host.exe
3496	Host.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exeHost.exe

pid	process
2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
3496	Host.exe
3496	Host.exe
3496	Host.exe
3496	Host.exe
3496	Host.exe
3496	Host.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exeHost.exeHost.exe

description	pid	process	target process
PID 2804 wrote to memory of 4500	2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 2804 wrote to memory of 4500	2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 2804 wrote to memory of 4500	2804	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 4500 wrote to memory of 1784	4500	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 4500 wrote to memory of 1784	4500	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 4500 wrote to memory of 1784	4500	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 4500 wrote to memory of 1784	4500	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 4500 wrote to memory of 1784	4500	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
PID 1784 wrote to memory of 3496	1784	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	Host.exe
PID 1784 wrote to memory of 3496	1784	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	Host.exe
PID 1784 wrote to memory of 3496	1784	98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe	Host.exe
PID 3496 wrote to memory of 3376	3496	Host.exe	Host.exe
PID 3496 wrote to memory of 3376	3496	Host.exe	Host.exe
PID 3496 wrote to memory of 3376	3496	Host.exe	Host.exe
PID 3376 wrote to memory of 3972	3376	Host.exe	Host.exe
PID 3376 wrote to memory of 3972	3376	Host.exe	Host.exe
PID 3376 wrote to memory of 3972	3376	Host.exe	Host.exe
PID 3376 wrote to memory of 3972	3376	Host.exe	Host.exe
PID 3376 wrote to memory of 3972	3376	Host.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
"C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\791729" "C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe
"C:\Users\Admin\AppData\Local\Temp\98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3496

C:\Users\Admin\AppData\Roaming\Install\Host.exe
C:\Users\Admin\AppData\Roaming\Install\Host.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\591894" "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\AppData\Roaming\Install\Host.exe
"C:\Users\Admin\AppData\Roaming\Install\Host.exe"
6⤵
- Executes dropped EXE
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 12
7⤵
- Program crash
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3972 -ip 3972
1⤵
PID:3220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\591894
Filesize
18KB

MD5
143f53a14064672c2560e95d06da6aef

SHA1
2bcef010e56c897c9c02a70e39cc26f1b613d427

SHA256
5caecee41ae222b90eb8675ed16e162c28beffd18a05b25e5fc83c21665ac6e9

SHA512
2ff3ce014807b607eca7d3ce85cad8f3f5eb5f2c45bbf102207b4213b5d6212c569f8fcc6a65e46a9f7e2eb40cfccb0166449f2f94f179dc8b1da32b5e860f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\791729
Filesize
18KB

MD5
143f53a14064672c2560e95d06da6aef

SHA1
2bcef010e56c897c9c02a70e39cc26f1b613d427

SHA256
5caecee41ae222b90eb8675ed16e162c28beffd18a05b25e5fc83c21665ac6e9

SHA512
2ff3ce014807b607eca7d3ce85cad8f3f5eb5f2c45bbf102207b4213b5d6212c569f8fcc6a65e46a9f7e2eb40cfccb0166449f2f94f179dc8b1da32b5e860f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl1
Filesize
12KB

MD5
1ec5c292c5cdd0897fdfb74f5cd012c2

SHA1
2a64c270087b8d4fbc3841e0219173574c096a8b

SHA256
6a8574b5f1418de69b850f1a0dd77d8a7917c05e01a67f12e7d150b09c37a090

SHA512
17c4107e359bf901037e7e91b88e5d1acfb9bb4ac7db51cadde5eeeb8cd20ec933f614f678598e899e70d0ccf2522ec7b39721c29c5137f2cea0780d81f5c6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl1
Filesize
12KB

MD5
1ec5c292c5cdd0897fdfb74f5cd012c2

SHA1
2a64c270087b8d4fbc3841e0219173574c096a8b

SHA256
6a8574b5f1418de69b850f1a0dd77d8a7917c05e01a67f12e7d150b09c37a090

SHA512
17c4107e359bf901037e7e91b88e5d1acfb9bb4ac7db51cadde5eeeb8cd20ec933f614f678598e899e70d0ccf2522ec7b39721c29c5137f2cea0780d81f5c6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl2
Filesize
81KB

MD5
539448350c03852dfbf099bc129d6efc

SHA1
8e95392aa43616de618da36e45437397d3eb7fd5

SHA256
e37d79a3af5690844a8389aeb65ddd344e1a1650986eccd918d2c3fba60130df

SHA512
1aa146c79d15f156c2e1563747c242b8b4619f91c0ef70bdbe48efb164e9c6a72b1db2a4d789b108205320821a88ea32e76ec54a95b76ba36d2e5a62f4ab9d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl2
Filesize
81KB

MD5
539448350c03852dfbf099bc129d6efc

SHA1
8e95392aa43616de618da36e45437397d3eb7fd5

SHA256
e37d79a3af5690844a8389aeb65ddd344e1a1650986eccd918d2c3fba60130df

SHA512
1aa146c79d15f156c2e1563747c242b8b4619f91c0ef70bdbe48efb164e9c6a72b1db2a4d789b108205320821a88ea32e76ec54a95b76ba36d2e5a62f4ab9d9c

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
932KB

MD5
5bdbd0d69c232c6aa19fed358cb1df55

SHA1
049c2fa22106d59d2c7ecfab81590f184dc8c7e2

SHA256
98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd

SHA512
9da915e5369f731f62b16a9d1b63592faf024e250c32be0aa07b45e3a1a1abd0e5bb9ee9825f67dfa2d10326be99cdfa2a9f1cd505fa964bcd7732d16e3dcabc

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
932KB

MD5
5bdbd0d69c232c6aa19fed358cb1df55

SHA1
049c2fa22106d59d2c7ecfab81590f184dc8c7e2

SHA256
98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd

SHA512
9da915e5369f731f62b16a9d1b63592faf024e250c32be0aa07b45e3a1a1abd0e5bb9ee9825f67dfa2d10326be99cdfa2a9f1cd505fa964bcd7732d16e3dcabc

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
932KB

MD5
5bdbd0d69c232c6aa19fed358cb1df55

SHA1
049c2fa22106d59d2c7ecfab81590f184dc8c7e2

SHA256
98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd

SHA512
9da915e5369f731f62b16a9d1b63592faf024e250c32be0aa07b45e3a1a1abd0e5bb9ee9825f67dfa2d10326be99cdfa2a9f1cd505fa964bcd7732d16e3dcabc

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
932KB

MD5
5bdbd0d69c232c6aa19fed358cb1df55

SHA1
049c2fa22106d59d2c7ecfab81590f184dc8c7e2

SHA256
98b0ceb542b0c198d9cbafc46bf7d0c7f8b4b0a418a4bb8b336787d54c7b34fd

SHA512
9da915e5369f731f62b16a9d1b63592faf024e250c32be0aa07b45e3a1a1abd0e5bb9ee9825f67dfa2d10326be99cdfa2a9f1cd505fa964bcd7732d16e3dcabc

Download Submit
memory/1784-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1784-139-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1784-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1784-136-0x0000000000000000-mapping.dmp

Download
memory/3376-144-0x0000000000000000-mapping.dmp

Download
memory/3496-140-0x0000000000000000-mapping.dmp

Download
memory/3972-149-0x0000000000000000-mapping.dmp

Download
memory/4500-132-0x0000000000000000-mapping.dmp

Download