General

  • Target

    95b5d76bfb2204011333248cc121b5a4.exe

  • Size

    882KB

  • Sample

    221001-jgd2gsffd4

  • MD5

    95b5d76bfb2204011333248cc121b5a4

  • SHA1

    6faea7983c34f12cec7d22184be0eb1693e0abaf

  • SHA256

    849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

  • SHA512

    966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
offline_keylogger
true
password
Password234
registry_autorun
false
use_mutex
false

Targets

    • Target

      95b5d76bfb2204011333248cc121b5a4.exe

    • Size

      882KB

    • MD5

      95b5d76bfb2204011333248cc121b5a4

    • SHA1

      6faea7983c34f12cec7d22184be0eb1693e0abaf

    • SHA256

      849590a841b815d047cfdadf4f430a64b8b1ac03518a0e1f18923662e7f4563e

    • SHA512

      966343713d2174f09e1f5aa4493eb79bfca3b6504ff18253449e7a153c8a249f4a52e9d0a7e7319817b284fbaa80dff94e034772cc32fb3635457cbb1f3fc152

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                    Privilege Escalation