D1682AA725C47B89C2066CFEAA8B3B55.exe

General
Target

D1682AA725C47B89C2066CFEAA8B3B55.exe

Size

793KB

Sample

210723-qpj66fmvka

Score
10 /10
MD5

d1682aa725c47b89c2066cfeaa8b3b55

SHA1

c802cfd2f442200bafaf6a5fbeb70f52ee846bb2

SHA256

c539c08e04ef8ab4ee18e69ab3346214ffcbfd262679c558f7b5ca651767d61d

SHA512

f33216e03bbbb28c6238c903eec0871d6ed4cf7ebe15ebd5ac0dbfd9c468e661e1ec3a9010c571b45176a549f15055b7b85e98c5a35ece4a5f22ed311943b43f

Malware Config

Extracted

Family netwire
C2

nozomi.takanome.io:9030

hikari.takanome.io:9030

Attributes
activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Syslog\
lock_executable
false
mutex
offline_keylogger
true
password
Jtenike70+
registry_autorun
false
startup_name
use_mutex
false
Targets
Target

D1682AA725C47B89C2066CFEAA8B3B55.exe

MD5

d1682aa725c47b89c2066cfeaa8b3b55

Filesize

793KB

Score
10 /10
SHA1

c802cfd2f442200bafaf6a5fbeb70f52ee846bb2

SHA256

c539c08e04ef8ab4ee18e69ab3346214ffcbfd262679c558f7b5ca651767d61d

SHA512

f33216e03bbbb28c6238c903eec0871d6ed4cf7ebe15ebd5ac0dbfd9c468e661e1ec3a9010c571b45176a549f15055b7b85e98c5a35ece4a5f22ed311943b43f

Tags

Signatures

  • Modifies WinLogon for persistence

    Tags

    TTPs

    Winlogon Helper DLL Modify Registry
  • NetWire RAT payload

    Tags

  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    Tags

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Tasks

                    static1