netwire | 9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe
Size

236KB
MD5

557bcc59ab20c44eb5b84c5073199983
SHA1

52d573e3d68459bfbb728510db9c7e564fcb1bbb
SHA256

9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c
SHA512

e5264c9aa5a445df6848f48d6eaa8acc3173848ddab34ab641308f2ec34a2905894c953ed2c9bed3078aea9d39ab3d77bacd728db7941073c4966978f64f13a2
SSDEEP

6144:XqqDLuj88h5Acbv98/V4+a0hu3Z6dY5y:6qnuo877bFm48huYY

Score

10^/10

netwire botnet rat stealer

Malware Config

Extracted

Family

netwire

atlaswebportal.zapto.org:4000

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
R5_04.08.16
keylogger_dir
C:\NVIDIA\profile\
lock_executable
false
offline_keylogger
true
password
Micr0s0ft4456877
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 29 IoCs

rat

resource	yara_rule
behavioral1/memory/2756-3-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-5-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-7-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-11-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-9-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-13-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-15-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-17-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-19-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-21-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-23-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-25-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-27-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-29-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-31-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-33-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-35-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-41-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-43-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-45-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-47-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-49-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-51-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-57-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-59-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-61-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-63-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-65-0x0000000000400000-0x000000000041F000-memory.dmp	netwire
behavioral1/memory/2756-149281-0x0000000000400000-0x000000000041F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2572	2756	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe
2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe
2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe
2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30
PID 2168 wrote to memory of 2756	2168	9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe	30

C:\Users\Admin\AppData\Local\Temp\9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe
"C:\Users\Admin\AppData\Local\Temp\9865e9f4989142513108fb6e783aa0b14528af46cc77f846e6a206c6362b0e7c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 160
    3⤵
    - Program crash
    PID:2572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2168-0-0x0000000001C40000-0x0000000001CBB000-memory.dmp

Filesize
492KB

Download
memory/2168-1-0x0000000076F2F000-0x0000000076F30000-memory.dmp

Filesize
4KB

Download
memory/2168-2-0x0000000001C40000-0x0000000001CBB000-memory.dmp

Filesize
492KB

Download
memory/2168-149279-0x0000000001C40000-0x0000000001CBB000-memory.dmp

Filesize
492KB

Download
memory/2756-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-21-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-23-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-25-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-27-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-5-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-35-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-149267-0x0000000076F2F000-0x0000000076F30000-memory.dmp

Filesize
4KB

Download
memory/2756-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-149278-0x0000000076F2F000-0x0000000076F30000-memory.dmp

Filesize
4KB

Download
memory/2756-149281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2756-149280-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2756-149282-0x0000000074D90000-0x0000000074EA0000-memory.dmp

Filesize
1.1MB

Download
memory/2756-149283-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download