General

  • Target

    SecuriteInfo.com.Win32.RATX-gen.16112.exe

  • Size

    837KB

  • Sample

    220926-ggxgqaagfp

  • MD5

    380c39c11c790386e3b2babd5baf81ba

  • SHA1

    6d52d56fe2623bdbb52b80426f70d090ccb2550c

  • SHA256

    53944a881741bee915b91916abf91bb7916f89756ee49dc2bc8e8ba768213c16

  • SHA512

    35cdb67daac5fefc4395743f2ba3160bdd1b089afb0797f79b2c3ba1718eae6cf678dcb099f5512674c0dd7778910e17a1637027fcc3413267cb833b3359de46

Malware Config

Extracted

Family

netwire

C2

212.193.29.37:3030

Attributes
activex_autorun
false
copy_executable
false
delete_original
false
host_id
client
install_path
%AppData%\Install\Host.exe
lock_executable
false
mutex
xcCpnqVL
offline_keylogger
false
password
123456
registry_autorun
false
use_mutex
false

Targets

    • Target

      SecuriteInfo.com.Win32.RATX-gen.16112.exe

    • Size

      837KB

    • MD5

      380c39c11c790386e3b2babd5baf81ba

    • SHA1

      6d52d56fe2623bdbb52b80426f70d090ccb2550c

    • SHA256

      53944a881741bee915b91916abf91bb7916f89756ee49dc2bc8e8ba768213c16

    • SHA512

      35cdb67daac5fefc4395743f2ba3160bdd1b089afb0797f79b2c3ba1718eae6cf678dcb099f5512674c0dd7778910e17a1637027fcc3413267cb833b3359de46

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation