General

  • Target

    RFQ-MVP300-3400 For MSA New Vessel.doc

  • Size

    63KB

  • Sample

    221012-jr4pwschf7

  • MD5

    5d3e6d263bd94b901830e792fd237693

  • SHA1

    de135c0e1255f334513aff51515de780d8ac8099

  • SHA256

    7ce5a9235acf3eb2001197190b598be8fa49e8f0e2ef9d0ae0a1c2c3095cd7b7

  • SHA512

    3b1a29ef85680507f70f374fa5ec72cc56387b258d4a39ee64dc3ac980170116a0ddff972813a40a247a28f761aa129fea20d69753c543fade5f30c4991a6355

  • SSDEEP

    384:OiCquMo5W4eDbg8iSUR/8daGJrqrjKOxtXYI+Q/cj0tpbnopkpSEP0j:OiCXf5zSe/qvsuxI+4DpbnokSi

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
lock_executable
false
offline_keylogger
false
password
Password234
registry_autorun
false
use_mutex
false

Targets

    • Target

      RFQ-MVP300-3400 For MSA New Vessel.doc

    • Size

      63KB

    • MD5

      5d3e6d263bd94b901830e792fd237693

    • SHA1

      de135c0e1255f334513aff51515de780d8ac8099

    • SHA256

      7ce5a9235acf3eb2001197190b598be8fa49e8f0e2ef9d0ae0a1c2c3095cd7b7

    • SHA512

      3b1a29ef85680507f70f374fa5ec72cc56387b258d4a39ee64dc3ac980170116a0ddff972813a40a247a28f761aa129fea20d69753c543fade5f30c4991a6355

    • SSDEEP

      384:OiCquMo5W4eDbg8iSUR/8daGJrqrjKOxtXYI+Q/cj0tpbnopkpSEP0j:OiCXf5zSe/qvsuxI+4DpbnokSi

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation

                    Tasks