General

  • Target

    4a8587f61a4969ae73d103ee83d1cdb1a12ebe6734bf32ab00a1de1529e54cf5

  • Size

    468KB

  • Sample

    220520-rwvlsabdhq

  • MD5

    f426569c2ebd6d3fe4c05a29446509ad

  • SHA1

    47d629d9f8cdbb5a8fb194ffa4e6a20964bee075

  • SHA256

    4a8587f61a4969ae73d103ee83d1cdb1a12ebe6734bf32ab00a1de1529e54cf5

  • SHA512

    23641961e9260d0b8f1b33276223bcda03741dd73f2ea764f8b37b757ed1c42d76abc44ff95d2797d6eb2408ee9e0fa6d599cdb08efa3967b0f8124d19462525

Malware Config

Targets

    • Target

      SCANDA_Statement_of_Account_July_2020.exe

    • Size

      486KB

    • MD5

      32c10b0b4bb8a7e70cf58c573a05f16a

    • SHA1

      a22e8814f215f2564d6c476506d7f76eb78fe80e

    • SHA256

      146856560590ec6f2434f34fe94b4dd5de0d7ed700cdaccc15663db1fbc8c4aa

    • SHA512

      717ea71453999846b87dfe952b9d6cc64617a69909e07de9934668e48f320b7be52ec370917adf520a36de5a0441091e73565c3083e58f251e8b8af5776b7042

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks