netwire | 8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c

General

Target

8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe
Size

164KB
MD5

edf1903c50e0ac4e313da1dcf159546f
SHA1

fbad0a82ee70c08cd8d1a2ff9274e63bbae36ec7
SHA256

8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c
SHA512

fd1a50f2926e119b799af0f4ff8ca1a1bc1495e4d3fac19ae9710adf5f0ba5eb949ade50900445a914a1a6ba971a59fadf597be5450497b44fcca4a590f1845a
SSDEEP

3072:Iy0lpnsMb2tjGIUSF9bXG5EGkynXodJ1LAEfsEkpDJBHwqZ1ZYx8xE6HDQm:X0lpnsMb2tUSP3GkyiJyEUDJBHwKZYxi

Score

10^/10

netwire botnet rat stealer

Malware Config

Signatures

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1300-61-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1300-63-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1300-64-0x0000000000402196-mapping.dmp	netwire
behavioral1/memory/1300-67-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1300-69-0x0000000000400000-0x000000000041E000-memory.dmp	netwire
behavioral1/memory/1300-70-0x0000000000400000-0x000000000041E000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Suspicious use of SetThreadContext 2 IoCs

Processes:

8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe

description	pid	process	target process
PID 1364 set thread context of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 set thread context of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe

Drops file in Windows directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	RegSvcs.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe

description	pid	process	target process
PID 1364 wrote to memory of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1300	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe
PID 1364 wrote to memory of 1528	1364	8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe
"C:\Users\Admin\AppData\Local\Temp\8baf3a611ee43769383f9cbf1a8976d57d2d6e53274f7bf830509a2f31ac077c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
2⤵
- Drops file in Windows directory
PID:1300

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" /qSILlzCwXB /C:\Users\Admin\AppData\Roaming\qSILlzCwXB\qSILlzCwXB.exe
2⤵
PID:1528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1300-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-57-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-63-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-64-0x0000000000402196-mapping.dmp

Download
memory/1300-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1364-68-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-84-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-55-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-54-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download
memory/1528-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1528-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1528-76-0x00000000004026FA-mapping.dmp

Download
memory/1528-80-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1528-78-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1528-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1528-82-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-83-0x00000000741F0000-0x000000007479B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads