netwire | cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310

Analysis

max time kernel
86s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe
Size

284KB
MD5

8ac5bd7b6012be46799fd8ab25fb6390
SHA1

7f5542064ba7fe1fa2e44d259f576b2054915f47
SHA256

cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310
SHA512

8612c8515324f7a93ce94515690a46067a8754fa2a874074181ee68c33e025449cd5867be620710e53ae1a0bf47fc70cbe4f9e80c5880c21a86c7a70c2a52ff1
SSDEEP

6144:pNNaI9Q51BCwYdKxpqNELJXYM+Ab6Rye2k6YDq5cPNEjoeF:pNNlefCwpqNERYM3PM3qAEjoG

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

melvintravel.ddns.net:39760

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
EngineWEALTH
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
mutex
qJfDOWue
offline_keylogger
true
password
Onelove
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1956-57-0x0000000000400000-0x0000000000425000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rootvimkvddoarv.vbs	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe

description	pid	process	target process
PID 1080 set thread context of 1956	1080	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe

pid	process
1080	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe
1080	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe
1080	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe
1080	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe

pid process

1080 cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe

description	pid	process	target process
PID 1080 wrote to memory of 1956	1080	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe
PID 1080 wrote to memory of 1956	1080	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe
PID 1080 wrote to memory of 1956	1080	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe
PID 1080 wrote to memory of 1956	1080	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe
PID 1080 wrote to memory of 1956	1080	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe	cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe

C:\Users\Admin\AppData\Local\Temp\cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe
"C:\Users\Admin\AppData\Local\Temp\cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe
"C:\Users\Admin\AppData\Local\Temp\cd73f6562e0e4d49a8fe056772ce180c3103e36ee6a122303fe20173baac5310.exe"
2⤵
PID:1956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1956-55-0x0000000000402570-mapping.dmp

Download
memory/1956-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download