General

  • Target

    5413D7925B6E67E27E6FFDAB67974DBF.exe

  • Size

    183KB

  • Sample

    210723-lcmclg3s32

  • MD5

    5413d7925b6e67e27e6ffdab67974dbf

  • SHA1

    72250774c05d90f827cd3e9a85a0d5b7b4e3b791

  • SHA256

    7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32

  • SHA512

    8584a9c7c6b0dda77601096b595ad0b1820bb00ec508b05af9a3d067f8b926a9dac78d89bc9d4b415fcc5fabb7ebc108bab3169bfe51d0fb2697f179aba5dc10

Malware Config

Extracted

Family

netwire

C2

finerthings.duckdns.org:3021

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    H23053OIGS

  • install_path

  • keylogger_dir

  • lock_executable

    false

  • mutex

  • offline_keylogger

    false

  • password

    finerthings@963

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Targets

    • Target

      5413D7925B6E67E27E6FFDAB67974DBF.exe

    • Size

      183KB

    • MD5

      5413d7925b6e67e27e6ffdab67974dbf

    • SHA1

      72250774c05d90f827cd3e9a85a0d5b7b4e3b791

    • SHA256

      7e12867c3e8353fc4175b559bbf654ccce1b253204fd7c5c0e2a72b56026ca32

    • SHA512

      8584a9c7c6b0dda77601096b595ad0b1820bb00ec508b05af9a3d067f8b926a9dac78d89bc9d4b415fcc5fabb7ebc108bab3169bfe51d0fb2697f179aba5dc10

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks