General

  • Target

    59c40f93040678f5340c707b6e5f50005821f6141d4db337d8b4b04405779d31

  • Size

    356KB

  • Sample

    220520-z9e29adfc2

  • MD5

    ef08c05c6a5b07052db69ea5c69ecfa4

  • SHA1

    fd3e69026e6de2476d807143026a341cc34f9d4d

  • SHA256

    59c40f93040678f5340c707b6e5f50005821f6141d4db337d8b4b04405779d31

  • SHA512

    66508a46e5b4424a5e280d220a0075f4501d0bf76a2e236b713aa0ebc5d8a3f82822bbe2a782bce2ce8756454c4c11019c315d796d0ebd6750ab0f38b198334c

Malware Config

Targets

    • Target

      59c40f93040678f5340c707b6e5f50005821f6141d4db337d8b4b04405779d31

    • Size

      356KB

    • MD5

      ef08c05c6a5b07052db69ea5c69ecfa4

    • SHA1

      fd3e69026e6de2476d807143026a341cc34f9d4d

    • SHA256

      59c40f93040678f5340c707b6e5f50005821f6141d4db337d8b4b04405779d31

    • SHA512

      66508a46e5b4424a5e280d220a0075f4501d0bf76a2e236b713aa0ebc5d8a3f82822bbe2a782bce2ce8756454c4c11019c315d796d0ebd6750ab0f38b198334c

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks