General

  • Target

    Annerkenntniserklärung.exe

  • Size

    1MB

  • Sample

    220915-ja8mhsccc4

  • MD5

    a9340d3caeb2d458f51bcdcc35f40e4f

  • SHA1

    56ffc6171db6c045f3db84689ec61f05df842899

  • SHA256

    8b86424f0ef6817bcb0ce07545ae7fd2c808d02346ee0e3d602115d791d6993b

  • SHA512

    8a88c3c6ebf472a529bd3326a080c9d4d2d53de65ccd0fa48c99bbf7dc618d36c759381da6b66892a511c1f81081ffe13d44d4a3f99a6df0d7b7d8ab0177a86c

  • SSDEEP

    24576:wshKd32Jzh68PfS0ECCnHqXdzzI4zlv44tJ:1U2xh6aS0EHHqXRzI4zh44t

Malware Config

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4433

podzeye2.duckdns.org:4411

podzeye2.duckdns.org:4422

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      Annerkenntniserklärung.exe

    • Size

      1MB

    • MD5

      a9340d3caeb2d458f51bcdcc35f40e4f

    • SHA1

      56ffc6171db6c045f3db84689ec61f05df842899

    • SHA256

      8b86424f0ef6817bcb0ce07545ae7fd2c808d02346ee0e3d602115d791d6993b

    • SHA512

      8a88c3c6ebf472a529bd3326a080c9d4d2d53de65ccd0fa48c99bbf7dc618d36c759381da6b66892a511c1f81081ffe13d44d4a3f99a6df0d7b7d8ab0177a86c

    • SSDEEP

      24576:wshKd32Jzh68PfS0ECCnHqXdzzI4zlv44tJ:1U2xh6aS0EHHqXRzI4zh44t

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks