General

  • Target

    SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980

  • Size

    339KB

  • Sample

    210723-gqzv6zrmt6

  • MD5

    959be976070ea4820a2e24dcce3d0bdf

  • SHA1

    7ec0c6d7d9b75ef8f078383a15d977b45dc434c1

  • SHA256

    6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

  • SHA512

    de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

Malware Config

Extracted

Family

netwire

C2

finerthings.duckdns.org:3021

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    H23053OIGS

  • install_path

  • keylogger_dir

  • lock_executable

    false

  • mutex

  • offline_keylogger

    false

  • password

    finerthings@963

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Targets

    • Target

      SecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.30980

    • Size

      339KB

    • MD5

      959be976070ea4820a2e24dcce3d0bdf

    • SHA1

      7ec0c6d7d9b75ef8f078383a15d977b45dc434c1

    • SHA256

      6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

    • SHA512

      de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks