General

  • Target

    86632e646e0aa7a9e6705b6385e37006de9eb9c66f4a508fbbe12689bad8d10e

  • Size

    160KB

  • Sample

    220217-aav7rafhbk

  • MD5

    bba8c544d808089aa2a99ebe375e1d2b

  • SHA1

    68ef67c7b0f9e611ef8b7e480d8dc2560d152bb2

  • SHA256

    86632e646e0aa7a9e6705b6385e37006de9eb9c66f4a508fbbe12689bad8d10e

  • SHA512

    8548c18adc9746bd1e69f6117afc26905576f09fdef92fb3135780e7acbca82c29277743e849347637b6cb1a284230c8a51c22ce8660027b7766fe721701035b

Malware Config

Extracted

Family

netwire

C2

androidratmobihack.ddns.net:3360

androidratmobihack.ddns.net:7777

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    qRhguWXi

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    Crack_Windows

  • use_mutex

    true

Targets

    • Target

      86632e646e0aa7a9e6705b6385e37006de9eb9c66f4a508fbbe12689bad8d10e

    • Size

      160KB

    • MD5

      bba8c544d808089aa2a99ebe375e1d2b

    • SHA1

      68ef67c7b0f9e611ef8b7e480d8dc2560d152bb2

    • SHA256

      86632e646e0aa7a9e6705b6385e37006de9eb9c66f4a508fbbe12689bad8d10e

    • SHA512

      8548c18adc9746bd1e69f6117afc26905576f09fdef92fb3135780e7acbca82c29277743e849347637b6cb1a284230c8a51c22ce8660027b7766fe721701035b

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks