General

  • Target

    Confidential.exe

  • Size

    727KB

  • Sample

    220927-ksq1vsdaf3

  • MD5

    77d64026e7224a2243bcb023766111e6

  • SHA1

    0124b3fc954340b6857c96b37e89e9eca64da43a

  • SHA256

    b002c64f7d0ff0a952b72f31609e683f17bb23313417f6639afdec47d9187b25

  • SHA512

    aa233f2db25af667574de2de6870cd6aa259b62700f604bf0478dac442a358a143853c8b8ad0c913f91b3b3e05662a3c9a7216cd1ca051fd0c20e5fbba40a0b8

  • SSDEEP

    12288:voxpAdRDmK6S8IB++Ll22jqZEp5E3qjJ5nl0+9MK:Z56SRB++LVMy1jrZe

Malware Config

Extracted

Family

netwire

C2

104.222.188.99:3360

zonedx.ddns.net:3360

zonedx.ddns.net:3363

104.222.188.99:3363

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password9090

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      Confidential.exe

    • Size

      727KB

    • MD5

      77d64026e7224a2243bcb023766111e6

    • SHA1

      0124b3fc954340b6857c96b37e89e9eca64da43a

    • SHA256

      b002c64f7d0ff0a952b72f31609e683f17bb23313417f6639afdec47d9187b25

    • SHA512

      aa233f2db25af667574de2de6870cd6aa259b62700f604bf0478dac442a358a143853c8b8ad0c913f91b3b3e05662a3c9a7216cd1ca051fd0c20e5fbba40a0b8

    • SSDEEP

      12288:voxpAdRDmK6S8IB++Ll22jqZEp5E3qjJ5nl0+9MK:Z56SRB++LVMy1jrZe

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Tasks