General

  • Target

    SecuriteInfo.com.Trojan.Mardom.MN.24.5711.7878

  • Size

    590KB

  • Sample

    220914-kpdw5ahfh7

  • MD5

    e3ceb848b672af6dd941b18dd773d514

  • SHA1

    1b8055a092d828a38ae9d74989dc43fc381c854a

  • SHA256

    71a260b79d48bfb8917050a14b955f79412846d10f1263ce3ad8ef14f8e07e04

  • SHA512

    5b669c7ef255294aad1182f96259b7584515f90b8a2f0ca3769ae85d644a3c8ec4e87459de6a6ff70af02fc8f86affe476beb0046146d8a3ea3158e27233053d

  • SSDEEP

    12288:9iGjtavmy2p2aY6DXaw2dXoTmSAHBsoV:r0aYxD9oTmdHBsG

Malware Config

Extracted

Family

netwire

C2

iphanyi.edns.biz:3360

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    RDP_SEPT_2022

  • install_path

    %AppData%\Install\Host.exe

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    caster123

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      SecuriteInfo.com.Trojan.Mardom.MN.24.5711.7878

    • Size

      590KB

    • MD5

      e3ceb848b672af6dd941b18dd773d514

    • SHA1

      1b8055a092d828a38ae9d74989dc43fc381c854a

    • SHA256

      71a260b79d48bfb8917050a14b955f79412846d10f1263ce3ad8ef14f8e07e04

    • SHA512

      5b669c7ef255294aad1182f96259b7584515f90b8a2f0ca3769ae85d644a3c8ec4e87459de6a6ff70af02fc8f86affe476beb0046146d8a3ea3158e27233053d

    • SSDEEP

      12288:9iGjtavmy2p2aY6DXaw2dXoTmSAHBsoV:r0aYxD9oTmdHBsG

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Tasks