netwire | e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2

General

Target

e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe
Size

270KB
MD5

5d267f53327a67de1acddf9266224155
SHA1

8b1451eedc01931df48531127839617942df9461
SHA256

e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2
SHA512

6e78ee956342847c18c44de7274e46d7e7ea0bb801360f05af25b7e9d094b85bac54f5718d38d225581d942de63ac8ffaeb8ef41ef9e1cfc5bcbb18c44dbe5af
SSDEEP

6144:KJn2R2tg1G/joO7pAsnAAAAAA5r5f7T0jxaQbRbO194v5vQ73ABNAAAA82R9eT:KJW2tK2H7pAsnAAAAAAjkaQtbOMv5vQJ

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/856-140-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/856-142-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/856-146-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/1652-150-0x00000000750E0000-0x0000000075691000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

Host.exe

pid process

4012 Host.exe
Drops file in System32 directory 1 IoCs

Processes:

msdtc.exe

description ioc process

File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe

pid	process
4012	Host.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exeRegSvcs.exe

description	pid	process	target process
PID 4964 set thread context of 1652	4964	e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe	RegSvcs.exe
PID 1652 set thread context of 856	1652	RegSvcs.exe	RegSvcs.exe

Drops file in Windows directory 1 IoCs

Processes:

msdtc.exe

description ioc process

File opened for modification C:\Windows\DtcInstall.log msdtc.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exeRegSvcs.exeRegSvcs.exe

description	pid	process	target process
PID 4964 wrote to memory of 1652	4964	e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe	RegSvcs.exe
PID 4964 wrote to memory of 1652	4964	e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe	RegSvcs.exe
PID 4964 wrote to memory of 1652	4964	e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe	RegSvcs.exe
PID 4964 wrote to memory of 1652	4964	e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe	RegSvcs.exe
PID 4964 wrote to memory of 1652	4964	e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe	RegSvcs.exe
PID 4964 wrote to memory of 1652	4964	e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe	RegSvcs.exe
PID 4964 wrote to memory of 1652	4964	e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe	RegSvcs.exe
PID 4964 wrote to memory of 1652	4964	e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe	RegSvcs.exe
PID 1652 wrote to memory of 856	1652	RegSvcs.exe	RegSvcs.exe
PID 1652 wrote to memory of 856	1652	RegSvcs.exe	RegSvcs.exe
PID 1652 wrote to memory of 856	1652	RegSvcs.exe	RegSvcs.exe
PID 1652 wrote to memory of 856	1652	RegSvcs.exe	RegSvcs.exe
PID 1652 wrote to memory of 856	1652	RegSvcs.exe	RegSvcs.exe
PID 1652 wrote to memory of 856	1652	RegSvcs.exe	RegSvcs.exe
PID 1652 wrote to memory of 856	1652	RegSvcs.exe	RegSvcs.exe
PID 1652 wrote to memory of 856	1652	RegSvcs.exe	RegSvcs.exe
PID 856 wrote to memory of 4012	856	RegSvcs.exe	Host.exe
PID 856 wrote to memory of 4012	856	RegSvcs.exe	Host.exe
PID 856 wrote to memory of 4012	856	RegSvcs.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe
"C:\Users\Admin\AppData\Local\Temp\e0fbcfe1224dc424aad75f66af776528917400202aa946d7ad2c85e2339c79e2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Roaming\Install\Host.exe
-m "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
- Executes dropped EXE
PID:4012

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
32KB

MD5
3a77a4f220612fa55118fb8d7ddae83c

SHA1
b96fa726fc84fd46d03dd3c32689f645e0422278

SHA256
2cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f

SHA512
33a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d

Download Submit
C:\Users\Admin\AppData\Roaming\Install\Host.exe
Filesize
32KB

MD5
3a77a4f220612fa55118fb8d7ddae83c

SHA1
b96fa726fc84fd46d03dd3c32689f645e0422278

SHA256
2cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f

SHA512
33a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d

Download Submit
memory/856-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/856-146-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/856-139-0x0000000000000000-mapping.dmp

Download
memory/856-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1652-143-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/1652-137-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1652-136-0x0000000000000000-mapping.dmp

Download
memory/1652-150-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4012-144-0x0000000000000000-mapping.dmp

Download
memory/4012-148-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4012-149-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4964-135-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download
memory/4964-138-0x00000000750E0000-0x0000000075691000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads