General

  • Target

    INVOICE00433.exe

  • Size

    673KB

  • Sample

    220819-h68rqaaahr

  • MD5

    ba34224f638293815a97a3d4e7f5bc67

  • SHA1

    c0dc327bd340eb447cb8e78603fa4dded8c152c9

  • SHA256

    40374376894492fb4f8aa245a8197df99859e2f98b786c344f877813a1a3f224

  • SHA512

    b410175eccc1dcfa5347b2e72d72c42b08c470095ac9716637973d6dbb0ebd78237a7bc8fba24ef516d2f3e6734449f9a3d8a530c1d54e81180f25ff0fd38403

  • SSDEEP

    12288:WQ11R/5P16n+CIoB88dFMh2O0CB4OYUdrYvxoFGSjjFWxJS:LPI+CvlMoSB4YqOjqJS

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3345

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password@9

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      INVOICE00433.exe

    • Size

      673KB

    • MD5

      ba34224f638293815a97a3d4e7f5bc67

    • SHA1

      c0dc327bd340eb447cb8e78603fa4dded8c152c9

    • SHA256

      40374376894492fb4f8aa245a8197df99859e2f98b786c344f877813a1a3f224

    • SHA512

      b410175eccc1dcfa5347b2e72d72c42b08c470095ac9716637973d6dbb0ebd78237a7bc8fba24ef516d2f3e6734449f9a3d8a530c1d54e81180f25ff0fd38403

    • SSDEEP

      12288:WQ11R/5P16n+CIoB88dFMh2O0CB4OYUdrYvxoFGSjjFWxJS:LPI+CvlMoSB4YqOjqJS

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks