General

  • Target

    99d26620fe24a54c52d14d9acf85be03be49fca9fc80647f9d7a26f124e8598c

  • Size

    767KB

  • Sample

    220701-hbtdjshga9

  • MD5

    0a79b8f791045175ed2702cc7dfb3dd6

  • SHA1

    661a38d7f13895348d230b9c90a24662d3fa1d8c

  • SHA256

    99d26620fe24a54c52d14d9acf85be03be49fca9fc80647f9d7a26f124e8598c

  • SHA512

    566b7a90dd807e9b72ea03bec4ed0639708934df4c844b333fa292b5f17e56991e5c435a73f6d3859e758303818c0d87c1a64a3432190786f1ade72a7f798002

Malware Config

Extracted

Family

netwire

C2

5.133.11.63:4068

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • offline_keylogger

    true

  • password

    Pedro1234

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      99d26620fe24a54c52d14d9acf85be03be49fca9fc80647f9d7a26f124e8598c

    • Size

      767KB

    • MD5

      0a79b8f791045175ed2702cc7dfb3dd6

    • SHA1

      661a38d7f13895348d230b9c90a24662d3fa1d8c

    • SHA256

      99d26620fe24a54c52d14d9acf85be03be49fca9fc80647f9d7a26f124e8598c

    • SHA512

      566b7a90dd807e9b72ea03bec4ed0639708934df4c844b333fa292b5f17e56991e5c435a73f6d3859e758303818c0d87c1a64a3432190786f1ade72a7f798002

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks