General

  • Target

    682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191

  • Size

    1MB

  • Sample

    221003-cfr4dsdahk

  • MD5

    6e752a28a3d4f61fb158099beab88f90

  • SHA1

    d8c18216e718401d37a81674d4f4bb95f16742c6

  • SHA256

    682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191

  • SHA512

    66bad4bab339a255cded95b6a03df4c149c486deceb23c3fd55080b16d48251bc7ad4db5e5e74c95ad46deebbdbb70fa05ee6fa26ae01e56fa9a89d9ad32e1eb

Malware Config

Targets

    • Target

      682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191

    • Size

      1MB

    • MD5

      6e752a28a3d4f61fb158099beab88f90

    • SHA1

      d8c18216e718401d37a81674d4f4bb95f16742c6

    • SHA256

      682e7f4053a133c8fe08dfede3962d5af96f01dff69a72ac0b0f0ba8afc57191

    • SHA512

      66bad4bab339a255cded95b6a03df4c149c486deceb23c3fd55080b16d48251bc7ad4db5e5e74c95ad46deebbdbb70fa05ee6fa26ae01e56fa9a89d9ad32e1eb

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation