netwire | d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe

General

Target

d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
Size

2.4MB
MD5

dc794c6baef5fa590421ac67e3d08a4b
SHA1

3362ee2afdb1cf40830a8e3e3ec2dde1eb0887a0
SHA256

d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe
SHA512

08133ba467a25450a303323ddc21ac0697a75bf42ee80994dcc89161c1d7b03e3a9960c782d2126522076c115404492cf7490e5cbe979e1c2ba8baa895227cf6
SSDEEP

49152:2JGhVJmzCDq35LO3mIp07KtjgRk0oqRuwSCFVPB9ZhhqDF8xLt9QQfBcWqeR+jl2:2gjLW8OjQ1a7

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

C2

venezia-pl.myq-see.com:3737

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
February-2021
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
bQkxKHhm
offline_keylogger
true
password
ALANKA121
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/856-68-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/856-70-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/856-67-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/856-66-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/856-71-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/856-72-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/856-75-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/856-77-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1768-56-0x0000000005140000-0x00000000053A8000-memory.dmp	beds_protector

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe	Powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe	Powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe

description	pid	process	target process
PID 1768 set thread context of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Powershell.exed736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe

pid process

1764 Powershell.exe
1768 d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe

pid	process
1764	Powershell.exe
1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Powershell.exed736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe

description	pid	process
Token: SeDebugPrivilege	1764	Powershell.exe
Token: SeDebugPrivilege	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe

C:\Users\Admin\AppData\Local\Temp\d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
"C:\Users\Admin\AppData\Local\Temp\d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Users\Admin\AppData\Local\Temp\d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
"C:\Users\Admin\AppData\Local\Temp\d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe"
2⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
"C:\Users\Admin\AppData\Local\Temp\d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe"
2⤵
PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-72-0x000000000040242D-mapping.dmp

Download
memory/856-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-75-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-59-0x000000006F940000-0x000000006FEEB000-memory.dmp

Filesize
5.7MB

Download
memory/1764-57-0x0000000000000000-mapping.dmp

Download
memory/1764-76-0x000000006F940000-0x000000006FEEB000-memory.dmp

Filesize
5.7MB

Download
memory/1768-60-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/1768-54-0x0000000001340000-0x00000000015B4000-memory.dmp

Filesize
2.5MB

Download
memory/1768-56-0x0000000005140000-0x00000000053A8000-memory.dmp

Filesize
2.4MB

Download
memory/1768-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download

description	pid	process	target process
PID 1768 wrote to memory of 1764	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	Powershell.exe
PID 1768 wrote to memory of 1764	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	Powershell.exe
PID 1768 wrote to memory of 1764	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	Powershell.exe
PID 1768 wrote to memory of 1764	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	Powershell.exe
PID 1768 wrote to memory of 1052	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 1052	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 1052	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 1052	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe
PID 1768 wrote to memory of 856	1768	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe	d736c5b2ae27af1aee10c2dbdecfdc42dde2addb52b2994f3e1d57c7bc97fbfe.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads