General

  • Target

    63814b99871f5bdcefca068e2ce4590ed565e30cf5217b83513a3d4b1b8d0d68

  • Size

    148KB

  • Sample

    220217-ctnywsfhg2

  • MD5

    ec2883c69ada31a9b06dcff508de2ff6

  • SHA1

    18e5d1df785debc83fd6368052f70b3d3ec38822

  • SHA256

    63814b99871f5bdcefca068e2ce4590ed565e30cf5217b83513a3d4b1b8d0d68

  • SHA512

    872947a8c755d1e2854ae8b61caa4e56b22306ff0c1dfcbed5eeaeeaba51b3c06e6f1432654a8a22a63deb38bc4679ec1cd4a2e2873b16cc2280589b5e1fbb72

Malware Config

Extracted

Family

netwire

C2

155.94.198.169:9112

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    false

  • host_id

    Corona-Virus

  • install_path

    %AppData%\Install\offiice365.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Pounds

  • registry_autorun

    true

  • startup_name

    officeii365

  • use_mutex

    false

Targets

    • Target

      63814b99871f5bdcefca068e2ce4590ed565e30cf5217b83513a3d4b1b8d0d68

    • Size

      148KB

    • MD5

      ec2883c69ada31a9b06dcff508de2ff6

    • SHA1

      18e5d1df785debc83fd6368052f70b3d3ec38822

    • SHA256

      63814b99871f5bdcefca068e2ce4590ed565e30cf5217b83513a3d4b1b8d0d68

    • SHA512

      872947a8c755d1e2854ae8b61caa4e56b22306ff0c1dfcbed5eeaeeaba51b3c06e6f1432654a8a22a63deb38bc4679ec1cd4a2e2873b16cc2280589b5e1fbb72

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks