General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.12142.20857

  • Size

    920KB

  • Sample

    220727-hmgh5aeha5

  • MD5

    c351b1bd7a09b17641f40d128a36a26c

  • SHA1

    eb958884a41f20db6ff81f87e947c867ec4eeb12

  • SHA256

    9a558d058307b8c1ef997ef5aa803d4e1f91b94c3c4df9bf038c4b445713a37c

  • SHA512

    82ba2a699e99141a802f9cb450e8885829939a70cbd3e93661116f0a92e077a07958d3a20a8ab5dd4b1ae0a3f5387ce348a11d1b246935eb4365bc58be8cbb14

Malware Config

Extracted

Family

netwire

C2

194.5.98.126:3378

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Pass@2023

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      SecuriteInfo.com.W32.AIDetectNet.01.12142.20857

    • Size

      920KB

    • MD5

      c351b1bd7a09b17641f40d128a36a26c

    • SHA1

      eb958884a41f20db6ff81f87e947c867ec4eeb12

    • SHA256

      9a558d058307b8c1ef997ef5aa803d4e1f91b94c3c4df9bf038c4b445713a37c

    • SHA512

      82ba2a699e99141a802f9cb450e8885829939a70cbd3e93661116f0a92e077a07958d3a20a8ab5dd4b1ae0a3f5387ce348a11d1b246935eb4365bc58be8cbb14

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks