General

  • Target

    794d29d2a03c6414456fdb791c61feec97a1e9cd3700d087b02c39fb166a2bae

  • Size

    148KB

  • Sample

    220217-aq69ysehc7

  • MD5

    74aa47b2d7722edfb0ffc8774ff89ab4

  • SHA1

    d6381cd5590a1fb2bd70823779d10b7b9d74e4b6

  • SHA256

    794d29d2a03c6414456fdb791c61feec97a1e9cd3700d087b02c39fb166a2bae

  • SHA512

    c3300fa4596a3b0bb8adf66f33d695f6e0c0d038f77e8330663e8a3150ad1bdb48b7e269b065bbb957183417f3d9df2dbd0bd8e8083f817078749637dad72d0d

Malware Config

Extracted

Family

netwire

C2

155.94.198.169:9112

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Corona-Virus

  • install_path

    %AppData%\Install\offiice365.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Pounds

  • registry_autorun

    true

  • startup_name

    officeii365

  • use_mutex

    false

Targets

    • Target

      794d29d2a03c6414456fdb791c61feec97a1e9cd3700d087b02c39fb166a2bae

    • Size

      148KB

    • MD5

      74aa47b2d7722edfb0ffc8774ff89ab4

    • SHA1

      d6381cd5590a1fb2bd70823779d10b7b9d74e4b6

    • SHA256

      794d29d2a03c6414456fdb791c61feec97a1e9cd3700d087b02c39fb166a2bae

    • SHA512

      c3300fa4596a3b0bb8adf66f33d695f6e0c0d038f77e8330663e8a3150ad1bdb48b7e269b065bbb957183417f3d9df2dbd0bd8e8083f817078749637dad72d0d

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks