General

  • Target

    d2091abba8c6725d31c3119393232ba84ece78d0a2cba338a9d5d0e9febcfce9

  • Size

    983KB

  • Sample

    220520-d6snaaaghm

  • MD5

    7d3808864afc7f49f0ea9bf1a7a0c66a

  • SHA1

    a4817d5b8bbae8539218a21bf749446da2ab573b

  • SHA256

    d2091abba8c6725d31c3119393232ba84ece78d0a2cba338a9d5d0e9febcfce9

  • SHA512

    f70c28c29e52879f67835ff681e7af9c1dcfd3d526e1efe962c60d1a3fc1875511b81c26874b64632d2e80fc88ad973b2c88a030816e05fb8f1026b267b319ff

Malware Config

Extracted

Family

netwire

C2

pd1n.ddns.net:1968

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    pd1n-noip

  • install_path

  • keylogger_dir

  • lock_executable

    false

  • mutex

  • offline_keylogger

    false

  • password

    Kimbolsapoq!P12

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Targets

    • Target

      d2091abba8c6725d31c3119393232ba84ece78d0a2cba338a9d5d0e9febcfce9

    • Size

      983KB

    • MD5

      7d3808864afc7f49f0ea9bf1a7a0c66a

    • SHA1

      a4817d5b8bbae8539218a21bf749446da2ab573b

    • SHA256

      d2091abba8c6725d31c3119393232ba84ece78d0a2cba338a9d5d0e9febcfce9

    • SHA512

      f70c28c29e52879f67835ff681e7af9c1dcfd3d526e1efe962c60d1a3fc1875511b81c26874b64632d2e80fc88ad973b2c88a030816e05fb8f1026b267b319ff

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks