General

  • Target

    Confirmation slip.exe

  • Size

    747KB

  • Sample

    220927-lfbwvadbb4

  • MD5

    96a1edd287967c1c8cb228d5fa138001

  • SHA1

    a7a9024ee3561de8d23cbcc1d4b2d4aa833fd154

  • SHA256

    6e8bf76b6d1f39b8366169c0cd6dc4bee0946973b8f5c64baf7fd1bfd1846731

  • SHA512

    fe42e520d20bbc6d75604967e7d544c490b9f2356c2c73dbd7c111ad583c444cae25d8c61b40ab731ddb01d6e9602d1557a7e780120ea7d3bf9d164f1938f561

Malware Config

Extracted

Family

netwire

C2

104.222.188.99:3360

zonedx.ddns.net:3360

zonedx.ddns.net:3363

104.222.188.99:3363

Attributes
activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password9090
registry_autorun
false
use_mutex
false

Targets

    • Target

      Confirmation slip.exe

    • Size

      747KB

    • MD5

      96a1edd287967c1c8cb228d5fa138001

    • SHA1

      a7a9024ee3561de8d23cbcc1d4b2d4aa833fd154

    • SHA256

      6e8bf76b6d1f39b8366169c0cd6dc4bee0946973b8f5c64baf7fd1bfd1846731

    • SHA512

      fe42e520d20bbc6d75604967e7d544c490b9f2356c2c73dbd7c111ad583c444cae25d8c61b40ab731ddb01d6e9602d1557a7e780120ea7d3bf9d164f1938f561

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation