General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.13123.exe

  • Size

    897KB

  • Sample

    220919-gekp5safd9

  • MD5

    8f0455d51130bf17f17e66b57efb722f

  • SHA1

    ea74f9e0c869e62cb349bb92b830ea171fe6caf9

  • SHA256

    aa109160a7bf36d319dd778b009ccb6db1a506c5a0eebd87fa6628e9313496c5

  • SHA512

    ba9e6c954848b8a9bd763f567c0fceb2b13da94047a79d0894a9b0431fcb3bde905b88f64e614c6a231c7ebfc09f03e8003b425f26975628129609c1c885c22b

  • SSDEEP

    12288:Mfa0Kkm88qbIFM/t+fBF117PUspayEt31F+V65q63JYZJT:+rKMoJF1178U23L+V65hOZB

Malware Config

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4411

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      SecuriteInfo.com.Win32.PWSX-gen.13123.exe

    • Size

      897KB

    • MD5

      8f0455d51130bf17f17e66b57efb722f

    • SHA1

      ea74f9e0c869e62cb349bb92b830ea171fe6caf9

    • SHA256

      aa109160a7bf36d319dd778b009ccb6db1a506c5a0eebd87fa6628e9313496c5

    • SHA512

      ba9e6c954848b8a9bd763f567c0fceb2b13da94047a79d0894a9b0431fcb3bde905b88f64e614c6a231c7ebfc09f03e8003b425f26975628129609c1c885c22b

    • SSDEEP

      12288:Mfa0Kkm88qbIFM/t+fBF117PUspayEt31F+V65q63JYZJT:+rKMoJF1178U23L+V65hOZB

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks