General

  • Target

    inv9087673.pdf.img

  • Size

    1.3MB

  • Sample

    220818-vekl2ahber

  • MD5

    f2ea4858864201512635672312ff0711

  • SHA1

    8a41ead580805a284528e3a1e081e3b46a9439f7

  • SHA256

    c30e0dc8c0a1e5c59786c5c5fa22a1e7fbffd7a590313397eb2d35a78cb6f666

  • SHA512

    91daba722efdb4338276da02189d6054a0d451ff704b12400e57eb00837d7713560bb179c5cc85023cced068fb1db5d132fbd753a0ebc4d0a1caf13984247f82

  • SSDEEP

    12288:EfZZ5m+JN9Wd11R/5PV6nTSscLn3NAqw0wJyFVOMzmm/td2jHC4m0EtPG:83Y+7yPojCdAD0SQVXmmlTP0Et

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3345

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password@9

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      INV90876.EXE

    • Size

      759KB

    • MD5

      3b5e92e5880c828f9ad90929a3b6d5a1

    • SHA1

      8282c9cb22644b515da8b049cd288cd09a891aee

    • SHA256

      84530ed1bbd58c38b85fc93e447d14251cda335b3de5fe9216cf3386758cb0ee

    • SHA512

      3a333d5e3d56a3e885ebbeda98f56da45782ade9c07ed8da3bee7f109f8bc90e4ee6dd7977705ac4854ef92915ee09ffdf716d40ecb07d5e8d2dfe8958dff449

    • SSDEEP

      12288:/fZZ5m+JN9Wd11R/5PV6nTSscLn3NAqw0wJyFVOMzmm/td2jHC4m0EtPG:33Y+7yPojCdAD0SQVXmmlTP0Et

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks