General

  • Target

    tmp

  • Size

    765KB

  • Sample

    220808-w6sbmaged9

  • MD5

    06339fb0802fc20a12e69b64cd6fa5ca

  • SHA1

    6646d3f27069779f3288f23fcafad7f9aecd8466

  • SHA256

    41dc9d757b32d4f74fb771db231cc41ab18703250f6c31b003b3dc749f473d8f

  • SHA512

    7076539a1b70ad0b021c51a9ac6d4cddc57fbb023f5d1756af8b8e7e9afe9430ed58c60a014de29fe6f273277f8b3d0116f8cfce8c630c2aef7947f2e0b343c4

Malware Config

Extracted

Family

netwire

C2

194.5.98.126:3378

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Pass@2023

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      tmp

    • Size

      765KB

    • MD5

      06339fb0802fc20a12e69b64cd6fa5ca

    • SHA1

      6646d3f27069779f3288f23fcafad7f9aecd8466

    • SHA256

      41dc9d757b32d4f74fb771db231cc41ab18703250f6c31b003b3dc749f473d8f

    • SHA512

      7076539a1b70ad0b021c51a9ac6d4cddc57fbb023f5d1756af8b8e7e9afe9430ed58c60a014de29fe6f273277f8b3d0116f8cfce8c630c2aef7947f2e0b343c4

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks