General

  • Target

    789481741e0df019d839bf61181b5cdd085b2334123be58a4b64c12fa7bd6193

  • Size

    87KB

  • Sample

    220217-ar6d2sehd7

  • MD5

    ce7caebbced9ba9421219da04b63f07b

  • SHA1

    6c00b0424981171ba5011801bd7850d2a45a4139

  • SHA256

    789481741e0df019d839bf61181b5cdd085b2334123be58a4b64c12fa7bd6193

  • SHA512

    ddbe08316674a6c08a6f488fb5f33098351c5d8b2c93bd5c213764456e69241a0ea2eff48de4a19846083b42c4b7fd8656e4d40e29faf41b791ee0e128724433

Malware Config

Extracted

Family

netwire

C2

213.183.58.12:1555

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    true

  • host_id

    suchfamily

  • install_path

    %Temp%\SKYPE.exe

  • keylogger_dir

    %Temp%\Logs\

  • lock_executable

    false

  • mutex

    CBNlDpBK

  • offline_keylogger

    true

  • password

    Hkoco,~E$)

  • registry_autorun

    true

  • startup_name

    SKYPE

  • use_mutex

    true

Targets

    • Target

      789481741e0df019d839bf61181b5cdd085b2334123be58a4b64c12fa7bd6193

    • Size

      87KB

    • MD5

      ce7caebbced9ba9421219da04b63f07b

    • SHA1

      6c00b0424981171ba5011801bd7850d2a45a4139

    • SHA256

      789481741e0df019d839bf61181b5cdd085b2334123be58a4b64c12fa7bd6193

    • SHA512

      ddbe08316674a6c08a6f488fb5f33098351c5d8b2c93bd5c213764456e69241a0ea2eff48de4a19846083b42c4b7fd8656e4d40e29faf41b791ee0e128724433

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks