General
-
Target
invoice_7833.exe
-
Size
1MB
-
Sample
220924-cht1rsbgal
-
MD5
2bb20b6123c38e8980b9f92e9a16f957
-
SHA1
3097deacf4adcdb35d8cb9d726cdf9f62efeaca6
-
SHA256
c43c2232e4c6cf97b7bd145ab5a72c8d5c408c77b7a56725160c192a6f6434a3
-
SHA512
f402382f7d5802130c6db3ada51678304b4d51558dacbfcd4237012153b2e66f88d525f6c23383a7792a2d70daab5cd8117c8347c85d34eabbd37d222b3879d4
-
SSDEEP
24576:5AOcZgAgB9ZkeKEptML955rCmtMyGpLAWDXxo8FVCaWXZWcVX:zTAgBgApyLseZG/VokCp79
Malware Config
Extracted
netwire
212.193.30.230:3345
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@9
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
invoice_7833.exe
-
Size
1MB
-
MD5
2bb20b6123c38e8980b9f92e9a16f957
-
SHA1
3097deacf4adcdb35d8cb9d726cdf9f62efeaca6
-
SHA256
c43c2232e4c6cf97b7bd145ab5a72c8d5c408c77b7a56725160c192a6f6434a3
-
SHA512
f402382f7d5802130c6db3ada51678304b4d51558dacbfcd4237012153b2e66f88d525f6c23383a7792a2d70daab5cd8117c8347c85d34eabbd37d222b3879d4
-
SSDEEP
24576:5AOcZgAgB9ZkeKEptML955rCmtMyGpLAWDXxo8FVCaWXZWcVX:zTAgBgApyLseZG/VokCp79
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation