General

  • Target

    30a798f90d068468a49bda1cf1dc25d8a89b6ff3acdcf3715f852bf5aba48d7f

  • Size

    260KB

  • Sample

    220520-xd4dvsfcfm

  • MD5

    5d0b535797bcd3fd8b482e250e339aa6

  • SHA1

    71d95bf3290b7f39498cd20fb983feb46f6a6d5c

  • SHA256

    30a798f90d068468a49bda1cf1dc25d8a89b6ff3acdcf3715f852bf5aba48d7f

  • SHA512

    ab297abcfcc8a85d59dcd749ea0eeee8ea6f8e47a78a2c99ef70f1691385109981b587dbad44391ca3fbea0a36d117c1bc2aa408475e5ef741fb8e5461075392

Malware Config

Targets

    • Target

      30a798f90d068468a49bda1cf1dc25d8a89b6ff3acdcf3715f852bf5aba48d7f

    • Size

      260KB

    • MD5

      5d0b535797bcd3fd8b482e250e339aa6

    • SHA1

      71d95bf3290b7f39498cd20fb983feb46f6a6d5c

    • SHA256

      30a798f90d068468a49bda1cf1dc25d8a89b6ff3acdcf3715f852bf5aba48d7f

    • SHA512

      ab297abcfcc8a85d59dcd749ea0eeee8ea6f8e47a78a2c99ef70f1691385109981b587dbad44391ca3fbea0a36d117c1bc2aa408475e5ef741fb8e5461075392

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks