General

  • Target

    6d13bcbb45eb4aaf00e63c46f6f393d879a1024be898f95d09c9d50647e76319.bin

  • Size

    403KB

  • Sample

    210719-fajl6hrche

  • MD5

    593a29ce11dbd3aa281d170d43f372b1

  • SHA1

    43e73ff7d4c8143b382dee318a50c4e9d8c5c77c

  • SHA256

    6d13bcbb45eb4aaf00e63c46f6f393d879a1024be898f95d09c9d50647e76319

  • SHA512

    944c7a12b312cfde56ed3c08d424ff12cc3eb0038ac7e7f0554e560b56d13ba8de74a479a98b3b608ba8b6cd8ec733a9adda6e3c9ee21065b6ef288f84c693bb

Malware Config

Extracted

Family

netwire

C2

chrisle79.ddns.net:4414

jacknop79.ddns.net:4414

smath79.ddns.net:4414

whatis79.ddns.net:4414

goodgt79.ddns.net:4414

bonding79.ddns.net:4414

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    June 2021

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password2$

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Targets

    • Target

      6d13bcbb45eb4aaf00e63c46f6f393d879a1024be898f95d09c9d50647e76319.bin

    • Size

      403KB

    • MD5

      593a29ce11dbd3aa281d170d43f372b1

    • SHA1

      43e73ff7d4c8143b382dee318a50c4e9d8c5c77c

    • SHA256

      6d13bcbb45eb4aaf00e63c46f6f393d879a1024be898f95d09c9d50647e76319

    • SHA512

      944c7a12b312cfde56ed3c08d424ff12cc3eb0038ac7e7f0554e560b56d13ba8de74a479a98b3b608ba8b6cd8ec733a9adda6e3c9ee21065b6ef288f84c693bb

    • Modifies WinLogon for persistence

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Tasks