General

  • Target

    62fbf539bee897a1568b67b7f8470bfab1510e74199f7f65fbfa285d059a83b5

  • Size

    160KB

  • Sample

    220217-cv9xrafhh6

  • MD5

    bfb071aad331dfc7729defbb20d26dce

  • SHA1

    001258d9abdd9430d5d26cb637c6f9810a43379a

  • SHA256

    62fbf539bee897a1568b67b7f8470bfab1510e74199f7f65fbfa285d059a83b5

  • SHA512

    da75305de2a4883ee577b6f42e6477316f76c4c9461aa3756839c4cb6adb698a901d734fdf4a818c4cff281951941ac8cc6574002acb8fd60d0bf56fcd200b86

Malware Config

Extracted

Family

netwire

C2

54.38.124.53:3360

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    true

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Spotify\Launcher.exe

  • keylogger_dir

  • lock_executable

    true

  • mutex

    LuvRmPDs

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    true

  • startup_name

    Spotify

  • use_mutex

    true

Targets

    • Target

      62fbf539bee897a1568b67b7f8470bfab1510e74199f7f65fbfa285d059a83b5

    • Size

      160KB

    • MD5

      bfb071aad331dfc7729defbb20d26dce

    • SHA1

      001258d9abdd9430d5d26cb637c6f9810a43379a

    • SHA256

      62fbf539bee897a1568b67b7f8470bfab1510e74199f7f65fbfa285d059a83b5

    • SHA512

      da75305de2a4883ee577b6f42e6477316f76c4c9461aa3756839c4cb6adb698a901d734fdf4a818c4cff281951941ac8cc6574002acb8fd60d0bf56fcd200b86

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks