General

  • Target

    Putty.exe

  • Size

    339KB

  • Sample

    220626-gllwsabcc2

  • MD5

    959be976070ea4820a2e24dcce3d0bdf

  • SHA1

    7ec0c6d7d9b75ef8f078383a15d977b45dc434c1

  • SHA256

    6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

  • SHA512

    de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

Malware Config

Extracted

Family

netwire

C2

finerthings.duckdns.org:3021

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    H23053OIGS

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    finerthings@963

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      Putty.exe

    • Size

      339KB

    • MD5

      959be976070ea4820a2e24dcce3d0bdf

    • SHA1

      7ec0c6d7d9b75ef8f078383a15d977b45dc434c1

    • SHA256

      6b4dd13ea6241a6c8ad2c967d88f3336798dc1e30dd24cfa3377f9b363d70b2e

    • SHA512

      de3ed25149af67a28cd5659bfeb895e323bbd9e79bb791bfbe972f448ca1012d4872b4478bd321a8baefd5813dd69fb19d73ff02d078f5b99ab6618946d4455e

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks