General

  • Target

    tmp

  • Size

    75KB

  • Sample

    220718-cqfhcahhel

  • MD5

    59b5570fd782ef0503a49fd7470200b6

  • SHA1

    1738e6b2ecb79b85e950a9734469404002cbb195

  • SHA256

    f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650

  • SHA512

    2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135

Malware Config

Extracted

Family

netwire

C2

194.5.98.188:3364

194.5.98.188:3366

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    j5m52xuc

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      tmp

    • Size

      75KB

    • MD5

      59b5570fd782ef0503a49fd7470200b6

    • SHA1

      1738e6b2ecb79b85e950a9734469404002cbb195

    • SHA256

      f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650

    • SHA512

      2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks