General

  • Target

    Payment confirmation.exe

  • Size

    794KB

  • Sample

    220920-jh4njafhdm

  • MD5

    d2e1541ec3a29b282d6b0695f4d223af

  • SHA1

    31e6d8ebcfb269cb6ec3422439633bc14eb22ea6

  • SHA256

    a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1

  • SHA512

    86844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f

  • SSDEEP

    12288:U91Rix5fEFksZMpJqB61ap5a0kAh8ZwQmiiyqADqjJ5n:UifEFkfJoi0k4E7mkMjr

Malware Config

Extracted

Family

netwire

C2

37.0.14.214:3346

37.0.14.214:4478

37.0.14.214:3469

37.0.14.214:3565

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • offline_keylogger

    true

  • password

    move4ward

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      Payment confirmation.exe

    • Size

      794KB

    • MD5

      d2e1541ec3a29b282d6b0695f4d223af

    • SHA1

      31e6d8ebcfb269cb6ec3422439633bc14eb22ea6

    • SHA256

      a2a0a4b91cbcf08126c70586521d2e7a0d6cf744058c314ffced7bdce97a40a1

    • SHA512

      86844a6d7f84b1852873f5eec28ce7b60e2d381d83b4bb25052593adfa6e5f1d1b35d6df2e4bf949f570a86b9905ac34c45fc27680e0869ee7b24c6351f0fa8f

    • SSDEEP

      12288:U91Rix5fEFksZMpJqB61ap5a0kAh8ZwQmiiyqADqjJ5n:UifEFkfJoi0k4E7mkMjr

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks