7c9df5ab3b23d6f93f280a7b29fdcd39cd5f68100a83d3b30aefee4990f34aef

General
Target

7c9df5ab3b23d6f93f280a7b29fdcd39cd5f68100a83d3b30aefee4990f34aef

Size

497KB

Sample

220520-2eh7jaacgj

Score
10 /10
MD5

17bdf63a8615bdcd21325ad817d0b7b7

SHA1

5aaa02ee090c3eeeb997c7a6d5ec683503981ea0

SHA256

7c9df5ab3b23d6f93f280a7b29fdcd39cd5f68100a83d3b30aefee4990f34aef

SHA512

63168ddcf9fcb8b2b6e05da932a2f54dca9cc591109fc06559b202b9deb35c6a44826a0fb248f6e894fe54b435d78c90a282a352fd4a21eb1c017dbde4569c5d

Malware Config

Extracted

Family netwire
C2

sepp.myq-see.com:2001

Attributes
activex_autorun
true
activex_key
{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
XdWObmml
offline_keylogger
true
password
Password
registry_autorun
false
startup_name
use_mutex
true
Targets
Target

0w1XziesiBaxbYs.exe

MD5

f0cac1110e145d3b260ad6be1566dc10

Filesize

520KB

Score
10/10
SHA1

f0cf3f3d9ff962752dbf993ac5b75f1d574e0450

SHA256

506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc

SHA512

b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2

Tags

Signatures

  • NetWire RAT payload

    Tags

  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    Tags

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Modifies Installed Components in the registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery
  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation