netwire | 58e6a469f1ace9ec112de054209783ad6dd469a0794f20a998a0dcdf02a4834e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7ff8ea9951ceb3e3660bfc3500b211a.exe
Size

112KB
MD5

a7ff8ea9951ceb3e3660bfc3500b211a
SHA1

547237200e4044f1f6e2165b6d9d060adab4ab71
SHA256

58e6a469f1ace9ec112de054209783ad6dd469a0794f20a998a0dcdf02a4834e
SHA512

f06d47f89ef2cced0d0bc5aa69622ce74b2420b108e6c07ed83be4d93b151eb4025cd5d2005c5f65e1c59a734609eda421c27a55903546a59698ced2b8087d9a
SSDEEP

3072:lh0seFp3R/lmAZCx+Ru8ymVqSSWT78SpeDT2d:lh0s8p373+SNToSpF

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

fartgul.duckdns.org:3360

fartgul.duckdns.org:3369

fartgul.duckdns.org:4000

fratful.dynu.net:4000

fratful.dynu.net:3369

fratful.dynu.net:3360

tartful.hopto.org:3360

tartful.hopto.org:3369

tartful.hopto.org:4000

futerty.mooo.com:3369

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Pay
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
KcLLFWch
offline_keylogger
true
password
Singlesingle1@
registry_autorun
false
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2416-142-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral2/memory/2416-144-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral2/memory/2416-145-0x0000000000400000-0x0000000000425000-memory.dmp	netwire
behavioral2/memory/2416-147-0x0000000000400000-0x0000000000425000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yVqZv661.url	a7ff8ea9951ceb3e3660bfc3500b211a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yVqZv661.url	a7ff8ea9951ceb3e3660bfc3500b211a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 2416	1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe	89

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2416	1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe	89
PID 1900 wrote to memory of 2416	1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe	89
PID 1900 wrote to memory of 2416	1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe	89
PID 1900 wrote to memory of 2416	1900	a7ff8ea9951ceb3e3660bfc3500b211a.exe	89

C:\Users\Admin\AppData\Local\Temp\a7ff8ea9951ceb3e3660bfc3500b211a.exe
"C:\Users\Admin\AppData\Local\Temp\a7ff8ea9951ceb3e3660bfc3500b211a.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\a7ff8ea9951ceb3e3660bfc3500b211a.exe
  "C:\Users\Admin\AppData\Local\Temp\a7ff8ea9951ceb3e3660bfc3500b211a.exe"
  2⤵
  PID:2416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-133-0x0000000000790000-0x00000000007AC000-memory.dmp

Filesize
112KB

Download
memory/1900-134-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/1900-135-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/1900-136-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/1900-140-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/1900-141-0x0000000005170000-0x0000000005173000-memory.dmp

Filesize
12KB

Download
memory/1900-146-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/2416-142-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2416-144-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2416-145-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2416-147-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download