netwire | fc0bba04948a745d390a4eec0f86b470e441e2f71250ec6321eb848b96a19961

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

232f6a9626c5797232c775ca53233b68.exe
Size

297KB
MD5

232f6a9626c5797232c775ca53233b68
SHA1

b4e06faf3cc8c5478050cd52da7da3fc48d791d8
SHA256

fc0bba04948a745d390a4eec0f86b470e441e2f71250ec6321eb848b96a19961
SHA512

ea6c715b6e9402f787db10c80960805a3998d6a95325b3ab4f21884ad111970c93e7ed215ee19270d2f22d848e50ed865a58896249cbd3fe91e129e62a32557d
SSDEEP

6144:3bjy2rtepPpf7h263PnifmrPX+zNS9MP2KDdPTE7FVfPWl:3bWtf7Z3PnFWNEMP2YZ67

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

naval.duckdns.org:4997

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2412-17-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2412-20-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2412-21-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2412-23-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rhepbreiwayqsva.eu.url	232f6a9626c5797232c775ca53233b68.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 2412	2232	232f6a9626c5797232c775ca53233b68.exe	29

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2232	232f6a9626c5797232c775ca53233b68.exe
2232	232f6a9626c5797232c775ca53233b68.exe
2232	232f6a9626c5797232c775ca53233b68.exe
2232	232f6a9626c5797232c775ca53233b68.exe
2232	232f6a9626c5797232c775ca53233b68.exe
2232	232f6a9626c5797232c775ca53233b68.exe
2232	232f6a9626c5797232c775ca53233b68.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2232	232f6a9626c5797232c775ca53233b68.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2412	2232	232f6a9626c5797232c775ca53233b68.exe	29
PID 2232 wrote to memory of 2412	2232	232f6a9626c5797232c775ca53233b68.exe	29
PID 2232 wrote to memory of 2412	2232	232f6a9626c5797232c775ca53233b68.exe	29
PID 2232 wrote to memory of 2412	2232	232f6a9626c5797232c775ca53233b68.exe	29
PID 2232 wrote to memory of 2412	2232	232f6a9626c5797232c775ca53233b68.exe	29

C:\Users\Admin\AppData\Local\Temp\232f6a9626c5797232c775ca53233b68.exe
"C:\Users\Admin\AppData\Local\Temp\232f6a9626c5797232c775ca53233b68.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\232f6a9626c5797232c775ca53233b68.exe
  "C:\Users\Admin\AppData\Local\Temp\232f6a9626c5797232c775ca53233b68.exe"
  2⤵
  PID:2412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2232-9-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-2-0x0000000000050000-0x0000000000150000-memory.dmp

Filesize
1024KB

Download
memory/2232-4-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-5-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-7-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-8-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-10-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-13-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-22-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-3-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-16-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-18-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-6-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-12-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-11-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2232-1-0x0000000000050000-0x0000000000150000-memory.dmp

Filesize
1024KB

Download
memory/2412-21-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2412-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2412-20-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2412-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download