General

  • Target

    3c797945540ee1629a4a6f02a4c18ea794f56ec29b6a39508097998a0e5cecde

  • Size

    547KB

  • Sample

    220520-rncq1abaam

  • MD5

    d22d57d7338394db96c4d4c15a436775

  • SHA1

    e5dd02cf7bfd8792f039d0ed47d0177bbe46ae40

  • SHA256

    3c797945540ee1629a4a6f02a4c18ea794f56ec29b6a39508097998a0e5cecde

  • SHA512

    cc561c2faface80fbc9d4bb42d2a0de8452e245c33d1905ece787842ef352e8a11b149e83fed46aa9662a9996676d1dced41d12fbb4fad4aaad09b5cab47ac33

Malware Config

Targets

    • Target

      Factura.exe

    • Size

      567KB

    • MD5

      2f8c343e41d3829aa8e24eebff7de4ab

    • SHA1

      5b18da64018f2e114ab3c160e07deb28a6906233

    • SHA256

      ffd24bd48e21a03c0b7fc884a12bd22e88e8d56735d810fccb64e6e6ca27768d

    • SHA512

      c44bf15ba71f39dc737abc8dbd8312e8453cad425c89f69318d99e6ec49ebc1bc77f51982010a71d1fcfd07bcf51f6312282da711bd38be4235e548b5204963e

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks