General

  • Target

    NisSrv.exe

  • Size

    584KB

  • Sample

    221014-wa58lsdhe6

  • MD5

    85f14631181a8867a2d41122482ba8dc

  • SHA1

    8e2f2bce824c97cb8dd83c1736cd1de6897bb054

  • SHA256

    bbcca0dc10b700c01e557612f009c050ca618f227e0b8be3d4f471dd9d887a18

  • SHA512

    aec36afdc33880622492010ed028e679778abb8470a8e9517f8c241de0f8a158da3ce1c767e7671b5aab14c77624009e05af35472eb0d6c2e411918756f4d855

  • SSDEEP

    6144:6toWmFzltNCF9NuUzSa3YYcahynDzcjzH1DFKH3oGu8EdoXRXHd:6toNFZj4QySHYca0UjzVDFKH3ox5y3

Malware Config

Extracted

Family

netwire

C2

54.145.6.146:443

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    MSOffice-%Rand%

  • lock_executable

    false

  • mutex

    IERXehpS

  • offline_keylogger

    false

  • password

    a1cap0ne@1960s

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      NisSrv.exe

    • Size

      584KB

    • MD5

      85f14631181a8867a2d41122482ba8dc

    • SHA1

      8e2f2bce824c97cb8dd83c1736cd1de6897bb054

    • SHA256

      bbcca0dc10b700c01e557612f009c050ca618f227e0b8be3d4f471dd9d887a18

    • SHA512

      aec36afdc33880622492010ed028e679778abb8470a8e9517f8c241de0f8a158da3ce1c767e7671b5aab14c77624009e05af35472eb0d6c2e411918756f4d855

    • SSDEEP

      6144:6toWmFzltNCF9NuUzSa3YYcahynDzcjzH1DFKH3oGu8EdoXRXHd:6toNFZj4QySHYca0UjzVDFKH3ox5y3

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks