General

  • Target

    DA405198039CD58C1D5DD3E7AE8A26E024C2E3AB70A56B4111992974E531A7D2

  • Size

    687KB

  • Sample

    221114-tjr18scd82

  • MD5

    441592a266a78676aa9ab0f0e3cbcb6d

  • SHA1

    8874bf82d7be87e9b9b00cde4d8bf6cc2a77b0eb

  • SHA256

    da405198039cd58c1d5dd3e7ae8a26e024c2e3ab70a56b4111992974e531a7d2

  • SHA512

    5652ba23501178ea07c7d9b9a9ffd93cc92dfa1b482ab070dba1b731fb87b9ef0c4e24b1ee5f1b3abc8fed64b607d4aec6b81b91214921d5fe5c298d27faa420

  • SSDEEP

    12288:u/RlhuXSBNTiQdxKDSYVeVS0kBbX/IqyzvCokDxFmsg7Tlv39jybfnbd:upOXa20KuS0kRX/IjzvVkDx7gPt3QrJ

Malware Config

Extracted

Family

netwire

C2

podzeye2.duckdns.org:4433

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      FACTURA09473773.exe

    • Size

      869KB

    • MD5

      765188ba741378b933fe5031593c3237

    • SHA1

      0e9bcebaba138d15f24de1129cc8799905a5b16c

    • SHA256

      481f3d87a7521d78973241b978e076e2a19beacd54a2307d444f760e47f5589e

    • SHA512

      a3b45caf7ac994740f919ed7eda0e596dcbd20ce991e9c159201124f63b3db8181019806f5daa0b5decce6e093613c6145cb4b1b97b0fbefc243c16346f481a3

    • SSDEEP

      24576:l1CFvW+Sg3pOVI+jODkjxKgr83io3F93:lYFua3iI+6Ijsgr8SoV9

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks