General

  • Target

    invoice_7833.exe

  • Size

    1MB

  • Sample

    220924-cht1rsbgal

  • MD5

    2bb20b6123c38e8980b9f92e9a16f957

  • SHA1

    3097deacf4adcdb35d8cb9d726cdf9f62efeaca6

  • SHA256

    c43c2232e4c6cf97b7bd145ab5a72c8d5c408c77b7a56725160c192a6f6434a3

  • SHA512

    f402382f7d5802130c6db3ada51678304b4d51558dacbfcd4237012153b2e66f88d525f6c23383a7792a2d70daab5cd8117c8347c85d34eabbd37d222b3879d4

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3345

Attributes
activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password@9
registry_autorun
false
use_mutex
false

Targets

    • Target

      invoice_7833.exe

    • Size

      1MB

    • MD5

      2bb20b6123c38e8980b9f92e9a16f957

    • SHA1

      3097deacf4adcdb35d8cb9d726cdf9f62efeaca6

    • SHA256

      c43c2232e4c6cf97b7bd145ab5a72c8d5c408c77b7a56725160c192a6f6434a3

    • SHA512

      f402382f7d5802130c6db3ada51678304b4d51558dacbfcd4237012153b2e66f88d525f6c23383a7792a2d70daab5cd8117c8347c85d34eabbd37d222b3879d4

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation