General

  • Target

    f8d54d69a3d89f5417af6ac2438e70fc598501d612b6f96df412975927f31c1b

  • Size

    355KB

  • Sample

    220521-b82mvsdde6

  • MD5

    d3b7efbbcba32ece8389bf4d67538fb8

  • SHA1

    aa7a1d1350c2ac2e4bead2872f509a58e56ba751

  • SHA256

    f8d54d69a3d89f5417af6ac2438e70fc598501d612b6f96df412975927f31c1b

  • SHA512

    28d3a9a03b53959dfb632cd187847de2e27a4689d2f50d3d0b3cfe05a452fafd066da2fb960e5ff6a6cb7e53bdc683011ae73689a277edfbb964f7046c9a8bca

Malware Config

Extracted

Family

netwire

C2

gold1.dnsupdate.info:4770

79.134.225.79:4770

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Targets

    • Target

      OrderList.exe

    • Size

      616KB

    • MD5

      1337cd4ad86e2a55d005dd32fdbe03f9

    • SHA1

      a0a23d6ecb8c6a60503d0b593165310a6f8a1ab1

    • SHA256

      be148ec34c1a4adc8afa7bd26f7951dc5f11984d07024a10b4af1c285f38b588

    • SHA512

      8f83ecd25d858f35eb382254e87b45de11a0a884a88ab5fbf4938338ec185a5a8d9ec3dda04abc798d0355e65eedbbfccf7613315bf1962d08b095aecaa748fe

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks