General

  • Target

    0c79a79bfa7a512a9dc8f95b152877750efd1ab82a1345627142dff132b757d0

  • Size

    246KB

  • Sample

    220521-pcf8yaacam

  • MD5

    174b8019db6302d13033c732e6630ea8

  • SHA1

    7ff521c20b53b1f2b53d1379884bed7d126f7b76

  • SHA256

    0c79a79bfa7a512a9dc8f95b152877750efd1ab82a1345627142dff132b757d0

  • SHA512

    0fd89a9d7c4a04623cd80ce71b2fcf1af413327ad702f250939e24b5e06171a2efc0e9f48b71bdb1903d83255943731c183e41295391dd2390c3c95b46495d45

Malware Config

Extracted

Family

netwire

C2

jswork.duckdns.org:7676

jswork.ddns.net:7676

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    jswork

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    NokkODEH

  • offline_keylogger

    true

  • password

    111aaa@@@

  • registry_autorun

    false

  • startup_name

  • use_mutex

    true

Targets

    • Target

      PO# 20200612-1AlbaPDF.exe

    • Size

      296KB

    • MD5

      93d00c69b45517418d0f60248f3fff02

    • SHA1

      063d4997c2a13113f55c79c4db9f761f4c399e0b

    • SHA256

      aa7433f4fd0ef15eed9c75d0e37a849909f7661b4d30063cff58879287fd2358

    • SHA512

      e4d139cb3d4d11effa92c732e765a1540f39ed952e98b9dad6644ff4eb77d7b9196fd84c9d2c412127bf916c7feea2135595f27265a49a4befb8a8fa96cfc984

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Looks for VirtualBox Guest Additions in registry

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks