General

  • Target

    tmp

  • Size

    1MB

  • Sample

    220927-jlyxfseaak

  • MD5

    05537902058bc265bf790af120df1723

  • SHA1

    cd69a5a835ec1043537a214f9f5b691502b9862d

  • SHA256

    ee61ac3cd6ac0319af2ca16d292464c08c018c15cd54f48c27df5907c9fca089

  • SHA512

    98de7cd81e76f1ba04132e10bb5ce23b486ce0730c8e7178bd29cc2e91d18e76efe28e24d3b31e3816e11404fbb3905acbd85bf7d54ccc3b8961ffc6064f7597

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
Password234
registry_autorun
false
use_mutex
false

Targets

    • Target

      tmp

    • Size

      1MB

    • MD5

      05537902058bc265bf790af120df1723

    • SHA1

      cd69a5a835ec1043537a214f9f5b691502b9862d

    • SHA256

      ee61ac3cd6ac0319af2ca16d292464c08c018c15cd54f48c27df5907c9fca089

    • SHA512

      98de7cd81e76f1ba04132e10bb5ce23b486ce0730c8e7178bd29cc2e91d18e76efe28e24d3b31e3816e11404fbb3905acbd85bf7d54ccc3b8961ffc6064f7597

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation