General

  • Target

    proof of payment.exe

  • Size

    661KB

  • Sample

    220915-lwwaescfb5

  • MD5

    af0b6c0b096bc0a9a6c6da19b3340a4c

  • SHA1

    4bc68ca3cd282e9c711c6b9a452a425af4fdf8d8

  • SHA256

    0b069c7e87aeb1802c8a83bf595bdf68040faf36bb5f607f4d1a20b8b8f45403

  • SHA512

    b33da09ded4c519566e9277cc4b10c4f5553246dd587c74c6c212430b45d4c188221d65f4357a6a5ff97202e1429378dd903c7f23217a16acf876c0bf3ab0ba1

  • SSDEEP

    12288:m5VF75e1ZsTyxRM2wfQy/FhucmJcTQJW0OkzKJfhd45/B:KVZ52ZX/OX9hDUcTOW5eAHW

Malware Config

Targets

    • Target

      proof of payment.exe

    • Size

      661KB

    • MD5

      af0b6c0b096bc0a9a6c6da19b3340a4c

    • SHA1

      4bc68ca3cd282e9c711c6b9a452a425af4fdf8d8

    • SHA256

      0b069c7e87aeb1802c8a83bf595bdf68040faf36bb5f607f4d1a20b8b8f45403

    • SHA512

      b33da09ded4c519566e9277cc4b10c4f5553246dd587c74c6c212430b45d4c188221d65f4357a6a5ff97202e1429378dd903c7f23217a16acf876c0bf3ab0ba1

    • SSDEEP

      12288:m5VF75e1ZsTyxRM2wfQy/FhucmJcTQJW0OkzKJfhd45/B:KVZ52ZX/OX9hDUcTOW5eAHW

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks