General

  • Target

    bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39

  • Size

    194KB

  • Sample

    221002-2tgl9afeeq

  • MD5

    668d157ae4a5f12573f9711d5c545c20

  • SHA1

    ad7ff5f2fdb495a21c13656bb6ab8269b37b580e

  • SHA256

    bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39

  • SHA512

    245cd610ec06f30662b7be887f86b4b75f9c2947240837b7699df1a58301f4d2c6a1c2dbfea30a5df629f48a2eb11445bf0a638e4ad8a603069a8949a7f9735b

  • SSDEEP

    3072:JjQONxHpxhA2H/hegAuhIR/M5eWsJzayw8zcXyNYCQk2eDwXJQ6p:ScHm2Y0hPeWKzayFzvCCvzSJQ

Malware Config

Targets

    • Target

      bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39

    • Size

      194KB

    • MD5

      668d157ae4a5f12573f9711d5c545c20

    • SHA1

      ad7ff5f2fdb495a21c13656bb6ab8269b37b580e

    • SHA256

      bf6a763be37b940d0ab0ca6d8d5cbba15366861f36acf4e98e4249f92f445e39

    • SHA512

      245cd610ec06f30662b7be887f86b4b75f9c2947240837b7699df1a58301f4d2c6a1c2dbfea30a5df629f48a2eb11445bf0a638e4ad8a603069a8949a7f9735b

    • SSDEEP

      3072:JjQONxHpxhA2H/hegAuhIR/M5eWsJzayw8zcXyNYCQk2eDwXJQ6p:ScHm2Y0hPeWKzayFzvCCvzSJQ

    • Modifies WinLogon for persistence

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks