netwire | 15ed48a323171f521247258630d9ef6d3fe785b5fe3aa9ff77b58b150b734310

Analysis

max time kernel
110s
max time network
112s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-02-2023 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f20d00b4ec898a33e130720d4d29e94070e1575.exe
Size

393KB
MD5

f1a220c982fa2b7330cd7c7671f8733c
SHA1

9f20d00b4ec898a33e130720d4d29e94070e1575
SHA256

15ed48a323171f521247258630d9ef6d3fe785b5fe3aa9ff77b58b150b734310
SHA512

face49fa9216d325062326c475fa88b5170ac39ea2bed44de721276ddd79f45c620064ef01372f8b90e7104c3cab9ec0a1b76a98357c7efeedcd47a1608e22c1
SSDEEP

12288:9YfbednM3kIg00BJ1sKN+zNva8lq1NtWH:9YenIqqFlqdWH

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

bright1.awsmppl.com:4770

ml.warzonedns.com:4770

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-qwU2Y0
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1956-57-0x0000000000400000-0x0000000000425000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

Processes:

9f20d00b4ec898a33e130720d4d29e94070e1575.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mvnrdwndlnkngyb.vbs	9f20d00b4ec898a33e130720d4d29e94070e1575.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9f20d00b4ec898a33e130720d4d29e94070e1575.exe

description	pid	process	target process
PID 1708 set thread context of 1956	1708	9f20d00b4ec898a33e130720d4d29e94070e1575.exe	9f20d00b4ec898a33e130720d4d29e94070e1575.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

9f20d00b4ec898a33e130720d4d29e94070e1575.exe

pid	process
1708	9f20d00b4ec898a33e130720d4d29e94070e1575.exe
1708	9f20d00b4ec898a33e130720d4d29e94070e1575.exe
1708	9f20d00b4ec898a33e130720d4d29e94070e1575.exe
1708	9f20d00b4ec898a33e130720d4d29e94070e1575.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

9f20d00b4ec898a33e130720d4d29e94070e1575.exe

pid process

1708 9f20d00b4ec898a33e130720d4d29e94070e1575.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9f20d00b4ec898a33e130720d4d29e94070e1575.exe

description	pid	process	target process
PID 1708 wrote to memory of 1956	1708	9f20d00b4ec898a33e130720d4d29e94070e1575.exe	9f20d00b4ec898a33e130720d4d29e94070e1575.exe
PID 1708 wrote to memory of 1956	1708	9f20d00b4ec898a33e130720d4d29e94070e1575.exe	9f20d00b4ec898a33e130720d4d29e94070e1575.exe
PID 1708 wrote to memory of 1956	1708	9f20d00b4ec898a33e130720d4d29e94070e1575.exe	9f20d00b4ec898a33e130720d4d29e94070e1575.exe
PID 1708 wrote to memory of 1956	1708	9f20d00b4ec898a33e130720d4d29e94070e1575.exe	9f20d00b4ec898a33e130720d4d29e94070e1575.exe
PID 1708 wrote to memory of 1956	1708	9f20d00b4ec898a33e130720d4d29e94070e1575.exe	9f20d00b4ec898a33e130720d4d29e94070e1575.exe

C:\Users\Admin\AppData\Local\Temp\9f20d00b4ec898a33e130720d4d29e94070e1575.exe
"C:\Users\Admin\AppData\Local\Temp\9f20d00b4ec898a33e130720d4d29e94070e1575.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\9f20d00b4ec898a33e130720d4d29e94070e1575.exe
"C:\Users\Admin\AppData\Local\Temp\9f20d00b4ec898a33e130720d4d29e94070e1575.exe"
2⤵
PID:1956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1956-55-0x0000000000402570-mapping.dmp

Download
memory/1956-57-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download