General

  • Target

    Scan_0011121021000.exe

  • Size

    1.9MB

  • Sample

    210106-raev6tyakn

  • MD5

    dfbdf304ffb322276a26f4d7ac26ea34

  • SHA1

    5fd5e24be102441882add9a32e432ac32333ca6d

  • SHA256

    738e16b6660e32ed957f9fd9e0c5cea56b1aaa7695bcdb56998ca9866071e32b

  • SHA512

    09454ca8e82c963fc9caa564057f6bd4c6cd2f974f9ce42a4bbb1910ef21223398420e0d8748069194499ecbd5b9b8f9905d05f45c760b422161d7785eaa8acb

Malware Config

Targets

    • Target

      Scan_0011121021000.exe

    • Size

      1.9MB

    • MD5

      dfbdf304ffb322276a26f4d7ac26ea34

    • SHA1

      5fd5e24be102441882add9a32e432ac32333ca6d

    • SHA256

      738e16b6660e32ed957f9fd9e0c5cea56b1aaa7695bcdb56998ca9866071e32b

    • SHA512

      09454ca8e82c963fc9caa564057f6bd4c6cd2f974f9ce42a4bbb1910ef21223398420e0d8748069194499ecbd5b9b8f9905d05f45c760b422161d7785eaa8acb

    • Modifies WinLogon for persistence

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Drops startup file

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Tasks