General

  • Target

    63c0153b2deff5a9286db1bbf41c327d55e4afeb938472b04f5f2e5367a1418f

  • Size

    87KB

  • Sample

    220217-csy3gafhf5

  • MD5

    588321542b59af4a4c9d48b3b06f8224

  • SHA1

    48428a910af44c2997c1dfd5258f8b4c40a102f5

  • SHA256

    63c0153b2deff5a9286db1bbf41c327d55e4afeb938472b04f5f2e5367a1418f

  • SHA512

    b2dc558c2803dbda420010790d8e1a5373a0e02db7eeeac8f679116ab24f388d9323ae0d4f53cac1507dbe353a4456c931f5056c27764e78bee7c1cbf645ae7e

Malware Config

Extracted

Family

netwire

C2

virginmilo.ddns.net:6111

174.127.99.186:1288

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    false

  • host_id

    CHARLES

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    UmcuQVvf

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    System32

  • use_mutex

    true

Targets

    • Target

      63c0153b2deff5a9286db1bbf41c327d55e4afeb938472b04f5f2e5367a1418f

    • Size

      87KB

    • MD5

      588321542b59af4a4c9d48b3b06f8224

    • SHA1

      48428a910af44c2997c1dfd5258f8b4c40a102f5

    • SHA256

      63c0153b2deff5a9286db1bbf41c327d55e4afeb938472b04f5f2e5367a1418f

    • SHA512

      b2dc558c2803dbda420010790d8e1a5373a0e02db7eeeac8f679116ab24f388d9323ae0d4f53cac1507dbe353a4456c931f5056c27764e78bee7c1cbf645ae7e

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks