netwire | 63b408d9416dc9d3c2c4fc8aa11100e5c58a5faf44d210229b867f12d0ce9c02

Analysis

max time kernel
280s
max time network
284s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-02-2023 03:10

Target

unk.exe
Size

910KB
MD5

c7331f4c14752e3fb6bdf174395de01b
SHA1

097c79ecbb662e332a490b63cd2a497464afa1a2
SHA256

63b408d9416dc9d3c2c4fc8aa11100e5c58a5faf44d210229b867f12d0ce9c02
SHA512

a236c11638434438baeb2c9ebc12ec4c1dc19dbcc9e6aac91ba487e8035a2c8c0cba8af4878c98a45983a8ed9f578a1500357611854c83fa51ac8ac6633fe11f
SSDEEP

24576:MA3jbtIYqWkWyt5lt+8v50tFA4MLrxN5IC54TWMt:rTrqWkWktrGtFA4Wtgi

Score

10^/10

Family

netwire

69.174.98.165:3369

Attributes

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/784-65-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/784-67-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/784-68-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/784-70-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/784-71-0x000000000041AD7B-mapping.dmp	netwire
behavioral1/memory/784-74-0x0000000000400000-0x000000000044F000-memory.dmp	netwire
behavioral1/memory/784-75-0x0000000000400000-0x000000000044F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Suspicious use of SetThreadContext 1 IoCs

Processes:

unk.exe

description pid process target process

PID 2036 set thread context of 784 2036 unk.exe unk.exe

description	pid	process	target process
PID 2036 set thread context of 784	2036	unk.exe	unk.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

unk.exe

description	pid	process	target process
PID 2036 wrote to memory of 784	2036	unk.exe	unk.exe
PID 2036 wrote to memory of 784	2036	unk.exe	unk.exe
PID 2036 wrote to memory of 784	2036	unk.exe	unk.exe
PID 2036 wrote to memory of 784	2036	unk.exe	unk.exe
PID 2036 wrote to memory of 784	2036	unk.exe	unk.exe
PID 2036 wrote to memory of 784	2036	unk.exe	unk.exe
PID 2036 wrote to memory of 784	2036	unk.exe	unk.exe
PID 2036 wrote to memory of 784	2036	unk.exe	unk.exe
PID 2036 wrote to memory of 784	2036	unk.exe	unk.exe
PID 2036 wrote to memory of 784	2036	unk.exe	unk.exe
PID 2036 wrote to memory of 784	2036	unk.exe	unk.exe

C:\Users\Admin\AppData\Local\Temp\unk.exe
"C:\Users\Admin\AppData\Local\Temp\unk.exe"
2⤵
PID:784

memory/784-70-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/784-60-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/784-75-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/784-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/784-63-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/784-71-0x000000000041AD7B-mapping.dmp

Download
memory/784-68-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/784-61-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/784-67-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/784-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2036-58-0x0000000007EC0000-0x0000000007F6E000-memory.dmp

Filesize
696KB

Download
memory/2036-55-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/2036-54-0x0000000000970000-0x0000000000A58000-memory.dmp

Filesize
928KB

Download
memory/2036-59-0x0000000004390000-0x00000000043DC000-memory.dmp

Filesize
304KB

Download
memory/2036-57-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2036-56-0x0000000000410000-0x0000000000424000-memory.dmp

Filesize
80KB

Download