General

  • Target

    tmp

  • Size

    7KB

  • Sample

    221117-twa89aah6y

  • MD5

    27a275b9237315ba8278c5a5c21535a5

  • SHA1

    a029e26da504b3f2d8775f7b0592cca298aa89b2

  • SHA256

    7f26ea3cb1e19751ee9ca317c3b13d44f3877ede7e162e16172c2eced25f21d7

  • SHA512

    8c29a96c5ae1b4690d1f4f5ac348f65144e32235865e69c84c448ec78c837951ecedc2d2dc6adc0b1c5d7b5bbb5d7cd7b6b21134120ce775e11b7df9bc74d56b

  • SSDEEP

    192:p9OSsMuPtyvkusLBkGYM9xyXAVxVwy75HjXEjdtG:p9OSszP48usLiVM9Qej5bodt

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3363

212.193.30.230:3362

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Cantbeme@1

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      tmp

    • Size

      7KB

    • MD5

      27a275b9237315ba8278c5a5c21535a5

    • SHA1

      a029e26da504b3f2d8775f7b0592cca298aa89b2

    • SHA256

      7f26ea3cb1e19751ee9ca317c3b13d44f3877ede7e162e16172c2eced25f21d7

    • SHA512

      8c29a96c5ae1b4690d1f4f5ac348f65144e32235865e69c84c448ec78c837951ecedc2d2dc6adc0b1c5d7b5bbb5d7cd7b6b21134120ce775e11b7df9bc74d56b

    • SSDEEP

      192:p9OSsMuPtyvkusLBkGYM9xyXAVxVwy75HjXEjdtG:p9OSszP48usLiVM9Qej5bodt

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks