General

  • Target

    Confidential.exe

  • Size

    727KB

  • Sample

    220927-ksq1vsdaf3

  • MD5

    77d64026e7224a2243bcb023766111e6

  • SHA1

    0124b3fc954340b6857c96b37e89e9eca64da43a

  • SHA256

    b002c64f7d0ff0a952b72f31609e683f17bb23313417f6639afdec47d9187b25

  • SHA512

    aa233f2db25af667574de2de6870cd6aa259b62700f604bf0478dac442a358a143853c8b8ad0c913f91b3b3e05662a3c9a7216cd1ca051fd0c20e5fbba40a0b8

Malware Config

Extracted

Family

netwire

C2

104.222.188.99:3360

zonedx.ddns.net:3360

zonedx.ddns.net:3363

104.222.188.99:3363

Attributes
activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password9090
registry_autorun
false
use_mutex
false

Targets

    • Target

      Confidential.exe

    • Size

      727KB

    • MD5

      77d64026e7224a2243bcb023766111e6

    • SHA1

      0124b3fc954340b6857c96b37e89e9eca64da43a

    • SHA256

      b002c64f7d0ff0a952b72f31609e683f17bb23313417f6639afdec47d9187b25

    • SHA512

      aa233f2db25af667574de2de6870cd6aa259b62700f604bf0478dac442a358a143853c8b8ad0c913f91b3b3e05662a3c9a7216cd1ca051fd0c20e5fbba40a0b8

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation