General

  • Target

    X2.exe

  • Size

    1.8MB

  • Sample

    201209-e7cl23sbwn

  • MD5

    36f108b320d0b177b1fb3e20fb917cb1

  • SHA1

    a3a40037b451c4d25758eec72009e703f1f80534

  • SHA256

    ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa

  • SHA512

    9e97b0984a711244e5783dd772490a12858557a4c4dc677f5f1189e92d4232db48e5e56471fd0af3e78b2cd801ac34df4b71bceba84d26fe76e3b15ae109bd62

Malware Config

Targets

    • Target

      X2.exe

    • Size

      1.8MB

    • MD5

      36f108b320d0b177b1fb3e20fb917cb1

    • SHA1

      a3a40037b451c4d25758eec72009e703f1f80534

    • SHA256

      ac5172fa3b434962c4f2e12b9c47dfd29a939b1d15c358ead485c4843ae065aa

    • SHA512

      9e97b0984a711244e5783dd772490a12858557a4c4dc677f5f1189e92d4232db48e5e56471fd0af3e78b2cd801ac34df4b71bceba84d26fe76e3b15ae109bd62

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • JavaScript code in executable

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks