General

  • Target

    629ac7f51d1bb60d65dbf55694c25bc01681d5fd349fca17b0aef9ddd8ad049e

  • Size

    245KB

  • Sample

    220521-btmkdsfecj

  • MD5

    f6bd9a111b3d59431c688b1a41a0681d

  • SHA1

    0173f368a929238110b6cff5ef05e17f35c6761e

  • SHA256

    629ac7f51d1bb60d65dbf55694c25bc01681d5fd349fca17b0aef9ddd8ad049e

  • SHA512

    6ccaa07cae981015f281f8b1cb7a9602ebf1a6089bb8b28f37d5d26dc91a5518f4c0e89b6c1dd033c07cac72e61c90e7d22998b3c4cf5340840f01e72ef8810d

Malware Config

Extracted

Family

netwire

C2

ichie02.ddns.net:3360

84.38.135.207:3360

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    true

  • host_id

    ICHIE007

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    AcYrNKLE

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Targets

    • Target

      #204811.exe

    • Size

      287KB

    • MD5

      1fb35d8aa5797fbbc4225a095c106552

    • SHA1

      cb08a463884542659aa9856d2dd0dd8e5d3f31cb

    • SHA256

      fc70d13e41ab6c3d36b72e329549c48e70767e37b06c5bbe7284896e935c6815

    • SHA512

      aeb871ca5da00328c3f5742bef2ccd6715f27c76f62db47118237312801f1b7b9672afa5becc67f01d50bc887f80b92cde80c7242468ddf55f5660774d7884bc

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks