netwire | 34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a

Analysis

max time kernel
144s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
Size

161KB
MD5

906a1737187cf53bd4e256659a83c981
SHA1

ffec0160e8e895aa2497ef984377de8b07138501
SHA256

34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a
SHA512

f78350c96d3276336eec9ba97c05add31d799cd243082f562b7fbf50b24a6a376e6ac3694ae37c40ea8077301567622db2ed6efc8d324cae0f08bf099f97f38a
SSDEEP

3072:qm6uSJNBB3ZVatxDG67LwjX4DTjeAQaRCG7mmhAEFua7:fnSJnBaxhQ47VRCG7YEFt

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/688-60-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/688-62-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/688-63-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/688-66-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/688-68-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

description	pid	process	target process
PID 1700 set thread context of 688	1700	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

description	pid	process	target process
PID 1700 wrote to memory of 688	1700	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 1700 wrote to memory of 688	1700	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 1700 wrote to memory of 688	1700	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 1700 wrote to memory of 688	1700	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 1700 wrote to memory of 688	1700	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 1700 wrote to memory of 688	1700	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 1700 wrote to memory of 688	1700	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 1700 wrote to memory of 688	1700	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 1700 wrote to memory of 688	1700	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

C:\Users\Admin\AppData\Local\Temp\34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
"C:\Users\Admin\AppData\Local\Temp\34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
"C:\Users\Admin\AppData\Local\Temp\34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe"
2⤵
PID:688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/688-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/688-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/688-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/688-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/688-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/688-63-0x0000000000402196-mapping.dmp

Download
memory/688-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/688-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1700-54-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/1700-67-0x0000000074160000-0x000000007470B000-memory.dmp

Filesize
5.7MB

Download