General

  • Target

    631b798761b94ea5e6b65261a2c8ffc727375731d85f0fe457d03c98e3908772

  • Size

    88KB

  • Sample

    220217-cvw1wshbck

  • MD5

    e63eeefa00cece8dedd70ebe4b5e239b

  • SHA1

    9545e019060112ef517ae88186c20bfab41d4bd7

  • SHA256

    631b798761b94ea5e6b65261a2c8ffc727375731d85f0fe457d03c98e3908772

  • SHA512

    138f4bd7e9fd6b4dedf377333c373c6f69c20e5dacab8baa190965eaf7a9ecd6aabac6d8699d72063f8340646dc0598e812b0d83fd1c9d488cbd12c9ceb26d3f

Malware Config

Extracted

Family

netwire

C2

mafian222.myftp.org:1999

mafianclub222.dynu.com:1999

Attributes
  • activex_autorun

    true

  • activex_key

    {1JJ08038-W8W8-O76K-FM5S-DSQNUFS0N462}

  • copy_executable

    true

  • delete_original

    true

  • host_id

    RECHENA

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    true

  • startup_name

    NetWire

  • use_mutex

    false

Targets

    • Target

      631b798761b94ea5e6b65261a2c8ffc727375731d85f0fe457d03c98e3908772

    • Size

      88KB

    • MD5

      e63eeefa00cece8dedd70ebe4b5e239b

    • SHA1

      9545e019060112ef517ae88186c20bfab41d4bd7

    • SHA256

      631b798761b94ea5e6b65261a2c8ffc727375731d85f0fe457d03c98e3908772

    • SHA512

      138f4bd7e9fd6b4dedf377333c373c6f69c20e5dacab8baa190965eaf7a9ecd6aabac6d8699d72063f8340646dc0598e812b0d83fd1c9d488cbd12c9ceb26d3f

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks