355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin

General
Target

355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin

Size

212KB

Sample

210719-m7p77jyepn

Score
10 /10
MD5

aeae64fab4622ed23e1c61d26de74249

SHA1

5dabbf8093eed124e64a7e39c83e14976a74b8bb

SHA256

355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065

SHA512

ca6602e3ee04b174581b90cde554a6bdf5f7560fd1ccbae26982df297e8daf18db63219029322ff2e2ea950d8a284311d7486086c9048d1b247f2dd62a953050

Malware Config

Extracted

Family netwire
C2

127.0.0.1:3360

chrisle79.ddns.net:4414

jacknop79.ddns.net:4414

smath79.ddns.net:4414

whatis79.ddns.net:4414

goodgt79.ddns.net:4414

bonding79.ddns.net:4414

Attributes
activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
June 2021
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
Password2$
registry_autorun
false
startup_name
use_mutex
false
Targets
Target

355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin

MD5

aeae64fab4622ed23e1c61d26de74249

Filesize

212KB

Score
10 /10
SHA1

5dabbf8093eed124e64a7e39c83e14976a74b8bb

SHA256

355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065

SHA512

ca6602e3ee04b174581b90cde554a6bdf5f7560fd1ccbae26982df297e8daf18db63219029322ff2e2ea950d8a284311d7486086c9048d1b247f2dd62a953050

Tags

Signatures

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • NetWire RAT payload

    Tags

  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    Tags

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Tasks

                      static1