General

  • Target

    SecuriteInfo.com.Variant.Barys.51933.17281.33.exe

  • Size

    791KB

  • Sample

    221115-wrfdhsfb59

  • MD5

    4ce9503e6cbbcc8ec8a8b3696986843f

  • SHA1

    62f2a7cd9fc8b4acf6c442b246cbf34035f0b540

  • SHA256

    1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc

  • SHA512

    f53743b7e2dd7eb88a99a01ca95ca12b4afe56892fa0fa28c3409b72cf15aedcc15c2f0966959399a2effd2b6d0b323f4ab61c66bc15ce30bec0093157127dbf

  • SSDEEP

    12288:/B4XsRQQwHXOMYRIp7RNqW/1D8TkJhTUDT1+RngcpCYrNl:pQjHXO5RIp7R91+2h4DLICQl

Malware Config

Extracted

Family

netwire

C2

79.134.225.121:2210

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Elibee88

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      SecuriteInfo.com.Variant.Barys.51933.17281.33.exe

    • Size

      791KB

    • MD5

      4ce9503e6cbbcc8ec8a8b3696986843f

    • SHA1

      62f2a7cd9fc8b4acf6c442b246cbf34035f0b540

    • SHA256

      1cc44e0f214cbf72c836dcbd1b1e67ad574bba62873f974432ee076072bf42cc

    • SHA512

      f53743b7e2dd7eb88a99a01ca95ca12b4afe56892fa0fa28c3409b72cf15aedcc15c2f0966959399a2effd2b6d0b323f4ab61c66bc15ce30bec0093157127dbf

    • SSDEEP

      12288:/B4XsRQQwHXOMYRIp7RNqW/1D8TkJhTUDT1+RngcpCYrNl:pQjHXO5RIp7R91+2h4DLICQl

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks