Resubmissions

14-05-2024 19:53

240514-yl8h8add8x 10

01-02-2022 03:33

220201-d4n73sgaen 10

General

  • Target

    db5038d60d1f0ee2f57fe0b3ee12f80ff10a90e088bd3316632036f4238823bf

  • Size

    1.1MB

  • Sample

    220201-d4n73sgaen

  • MD5

    3a4afbbc9f18b16ab620dfa374beeac7

  • SHA1

    afe30c445587aa62cf11d54153e1d3d419cd28e7

  • SHA256

    db5038d60d1f0ee2f57fe0b3ee12f80ff10a90e088bd3316632036f4238823bf

  • SHA512

    4a579e6c3991a428894924362c88ad5a2b97dfbb0522c20122f11a5779cd472cc2ac508ba2fd81f720a73cd9a45083e838759e4c252960256bdaa55a80e0d1de

Malware Config

Extracted

Family

netwire

C2

ihracat.myq-see.com:5770

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    2020-Clienst

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    hsFkbJUl

  • offline_keylogger

    true

  • password

    backdooR1

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Targets

    • Target

      UNICEF COVID-19 APP.exe

    • Size

      1.6MB

    • MD5

      e33ca6e0ec223d2b3e958131424eff4a

    • SHA1

      95d900e5915d99ad55fb24ed8c6d04a804035b45

    • SHA256

      1b15ef17ccb1a99c3953f61de01ebceaeef2277b3b5939408050dc7c1010d1bb

    • SHA512

      330731c2fda4b2af15d13bd7469d79d7ec14039da61fb763cfe030bf91f1244856a9c9e32a89e19a55363e82e5aba2cb3718599089d01314ca675a1dafabbd56

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Sets service image path in registry

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks