netwire | 34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a

Analysis

max time kernel
155s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
Size

161KB
MD5

906a1737187cf53bd4e256659a83c981
SHA1

ffec0160e8e895aa2497ef984377de8b07138501
SHA256

34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a
SHA512

f78350c96d3276336eec9ba97c05add31d799cd243082f562b7fbf50b24a6a376e6ac3694ae37c40ea8077301567622db2ed6efc8d324cae0f08bf099f97f38a
SSDEEP

3072:qm6uSJNBB3ZVatxDG67LwjX4DTjeAQaRCG7mmhAEFua7:fnSJnBaxhQ47VRCG7YEFt

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/840-135-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/840-137-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/840-140-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral2/memory/840-141-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 1 IoCs

Processes:

34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

description	pid	process	target process
PID 3440 set thread context of 840	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

pid	process
3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

description pid process

Token: SeDebugPrivilege 3440 34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

description	pid	process
Token: SeDebugPrivilege	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

description	pid	process	target process
PID 3440 wrote to memory of 4792	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 3440 wrote to memory of 4792	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 3440 wrote to memory of 4792	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 3440 wrote to memory of 840	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 3440 wrote to memory of 840	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 3440 wrote to memory of 840	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 3440 wrote to memory of 840	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 3440 wrote to memory of 840	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 3440 wrote to memory of 840	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 3440 wrote to memory of 840	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
PID 3440 wrote to memory of 840	3440	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe	34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe

C:\Users\Admin\AppData\Local\Temp\34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
"C:\Users\Admin\AppData\Local\Temp\34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440

C:\Users\Admin\AppData\Local\Temp\34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
"C:\Users\Admin\AppData\Local\Temp\34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe"
2⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe
"C:\Users\Admin\AppData\Local\Temp\34ec65b4bafa3e6b28917c39fe20a3ff91acad98af629dbe3c9f27d9a239f69a.exe"
2⤵
PID:840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/840-134-0x0000000000000000-mapping.dmp

Download
memory/840-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/840-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/840-140-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/840-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3440-132-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3440-138-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/3440-139-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/4792-133-0x0000000000000000-mapping.dmp

Download