13449784267e8b9f277e7aa2fdacecadfa3ad1843bf750190963b69b3b590c8f

General
Target

13449784267e8b9f277e7aa2fdacecadfa3ad1843bf750190963b69b3b590c8f

Size

885KB

Sample

220521-w277aaebaj

Score
10 /10
MD5

5cc2db7fe3b222b100b9107896943e6f

SHA1

38822f40ac45140a80561e55742e2b7aae3b5a65

SHA256

13449784267e8b9f277e7aa2fdacecadfa3ad1843bf750190963b69b3b590c8f

SHA512

2fe32369a65bfb7f586121a937b1eb20c81f7ce0f0418780c4fda125395154d476b1b8c33c27c9b6cc1dd5799b1b4e91f850853f685fd62741f173d85e2c881c

Malware Config
Targets
Target

Proof of payment.exe

MD5

328549191a15865db4e088aa1375a7b2

Filesize

1MB

Score
10/10
SHA1

5b2128274c3c069c90fe14b13c95ee1339873048

SHA256

ff0ebb75a316c61d851a3edfb2ec49a5c05a2054032dbb9f175b7990fd8959dc

SHA512

b646c21e687e0efa75913d21b3403f9ff0945d91158a9dbd318685d2eecacbc4f79f24f2cf3420045c1dee6161b71d084703277e8a4e2df79fa1177b7b42d205

Tags

Signatures

  • NetWire RAT payload

    Tags

  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    Tags

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks

                    static1