General

  • Target

    afb777c3c1bbd190af137c193d61137833365f73c9e8915e15fa0bc260aecdb5

  • Size

    247KB

  • Sample

    220521-n75z4sege6

  • MD5

    930d854da3822f77268180b89ec539a4

  • SHA1

    b550164598c3a7c9f2e131891c4ccae8193f93ba

  • SHA256

    afb777c3c1bbd190af137c193d61137833365f73c9e8915e15fa0bc260aecdb5

  • SHA512

    2d0049b90b6fef066571b69f365f2f4a89950c0deab1ca5347fbeed05bd09377cb0bd82565c3dac78d4fd433a60c33b63c2eb15c204b74ccd00f901d2a002186

Malware Config

Extracted

Family

netwire

C2

194.5.97.109:3360

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    true

  • delete_original

    true

  • host_id

    MAZI

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Targets

    • Target

      INQUIRY.exe

    • Size

      259KB

    • MD5

      f652086d83ccc25c14bbcebb9229cbd4

    • SHA1

      cadd3972915bd7ffee7442c8b60ff6acc156705e

    • SHA256

      9a6951c6f3c33c217edd9a4e32f5422c4e125b909d0c88e190b76eb695f05b72

    • SHA512

      1fb741fe778c749d465cea204739519bf2a4bad4121d472f3ada7bbd8c7d3f09fb43eb7a3e81c0de88105bc89d1ba32254ef41bc96d13b12920e796a6cee8d0c

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks