General

  • Target

    87ae17f03b47f54fd9f2a3cf9f3e1e4d5cdfa6592bec4a05214c30756599a3ef

  • Size

    88KB

  • Sample

    220216-3z9ewsfghn

  • MD5

    d9a34da9ef264b55ca886d1ff71867ea

  • SHA1

    ec21b596eb0d2529a8bf58fa36c7a5fd7dd1258b

  • SHA256

    87ae17f03b47f54fd9f2a3cf9f3e1e4d5cdfa6592bec4a05214c30756599a3ef

  • SHA512

    1a52ebf5e7ed3b9206855ac2474a8f7301b7a23db8bd5c13b96642f0a3cdd63e5acadb6231ae9f2c5610f1d2d650210bc12dbb15d96d39176f57c22c13ed711a

Malware Config

Extracted

Family

netwire

C2

185.84.181.89:1199

Attributes
  • activex_autorun

    true

  • activex_key

    {FDOO1AM2-V7NF-W6I5-46BR-T50KH2K5T0T6}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Chichi

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    BptiRohx

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    true

Targets

    • Target

      87ae17f03b47f54fd9f2a3cf9f3e1e4d5cdfa6592bec4a05214c30756599a3ef

    • Size

      88KB

    • MD5

      d9a34da9ef264b55ca886d1ff71867ea

    • SHA1

      ec21b596eb0d2529a8bf58fa36c7a5fd7dd1258b

    • SHA256

      87ae17f03b47f54fd9f2a3cf9f3e1e4d5cdfa6592bec4a05214c30756599a3ef

    • SHA512

      1a52ebf5e7ed3b9206855ac2474a8f7301b7a23db8bd5c13b96642f0a3cdd63e5acadb6231ae9f2c5610f1d2d650210bc12dbb15d96d39176f57c22c13ed711a

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks