General

  • Target

    d3da5a40330a85a499e5706593908906f2e2df166d713fef626737c3a4472b6c

  • Size

    321KB

  • Sample

    220520-3rcqyshdc4

  • MD5

    5a8a759da9cde54f967c21f7e32eee98

  • SHA1

    3565e23cec0ee6bf3364bd58c010de539d3eae0d

  • SHA256

    d3da5a40330a85a499e5706593908906f2e2df166d713fef626737c3a4472b6c

  • SHA512

    d9856f780f68ba33b72b74b7b013289fab83329ee78c4f8f691bcddcf6c4cd7ca2856d6a160c81af9752b966f5fd1ba56910b75dfc220e77135a0900d108cbec

Malware Config

Extracted

Family

netwire

C2

79.134.225.27:3360

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Targets

    • Target

      INV9938483.exe

    • Size

      1000KB

    • MD5

      535c9fd606aa987e234792a9d0bb41b7

    • SHA1

      012a12fddee7ed7c9a0e5df786af8a5a4cc9087b

    • SHA256

      3d586b05bf8ae586060343c9dc3b33b82d463e177ae92dd242de1a72946e4b13

    • SHA512

      4e07dacb2382daff56b32d207d27ca8862646936c25d1658548c5511b385e9497964c4496e6e34f8c4857e4b744919a6d36a3eef4e382656132dfb06e2392de4

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks