General

  • Target

    0f70263fe10dd4f80b8f55d7ee4c75c6.exe

  • Size

    878KB

  • Sample

    201213-t7f6rcdw62

  • MD5

    0f70263fe10dd4f80b8f55d7ee4c75c6

  • SHA1

    01774685daf3b29f6ca167fc685df442ffcfcef3

  • SHA256

    d448e98a5a460af5fe86ca742ec12b77bfd051db847cff94c4e60189379548ae

  • SHA512

    2c3f050e4a08340b12948dd30886c7fa60f2dc60281cfc408cb84928de8d474f156ee6bf4bf8a6264e82ce1e3d30195fc30845edff349eaf24b486f840923f10

Malware Config

Targets

    • Target

      0f70263fe10dd4f80b8f55d7ee4c75c6.exe

    • Size

      878KB

    • MD5

      0f70263fe10dd4f80b8f55d7ee4c75c6

    • SHA1

      01774685daf3b29f6ca167fc685df442ffcfcef3

    • SHA256

      d448e98a5a460af5fe86ca742ec12b77bfd051db847cff94c4e60189379548ae

    • SHA512

      2c3f050e4a08340b12948dd30886c7fa60f2dc60281cfc408cb84928de8d474f156ee6bf4bf8a6264e82ce1e3d30195fc30845edff349eaf24b486f840923f10

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Modifies Installed Components in the registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

2
T1112

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Tasks