General

  • Target

    proof of payment.scr.exe

  • Size

    873KB

  • Sample

    210713-l61fvclaqj

  • MD5

    693fc4eb901d82a09678e506960fd24d

  • SHA1

    8fcfb6ea44062af4557b2820591f75126b5edf81

  • SHA256

    59fc44577bd89c7f6ae86b0b13e7e19c4d17612b4d5696e6c70d2e88d5d8115e

  • SHA512

    0c076cf5b30edb1c8f51c11e52778cd20eaf88736467e1c0f401b48154ae54ed31433efa898c0be883bab6a9ed435540d16974858eb691410787f787870d464a

Malware Config

Extracted

Family

netwire

C2

harold.ns01.info:3606

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Ojoko

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    enbSUNvD

  • offline_keylogger

    true

  • password

    master12

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Targets

    • Target

      proof of payment.scr.exe

    • Size

      873KB

    • MD5

      693fc4eb901d82a09678e506960fd24d

    • SHA1

      8fcfb6ea44062af4557b2820591f75126b5edf81

    • SHA256

      59fc44577bd89c7f6ae86b0b13e7e19c4d17612b4d5696e6c70d2e88d5d8115e

    • SHA512

      0c076cf5b30edb1c8f51c11e52778cd20eaf88736467e1c0f401b48154ae54ed31433efa898c0be883bab6a9ed435540d16974858eb691410787f787870d464a

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

1
T1082

Tasks