General

  • Target

    RFQ.exe

  • Size

    7KB

  • Sample

    221119-wy4dxshe9z

  • MD5

    97ebc55be1229c2fdec3edd582a4b7f5

  • SHA1

    2d27e899704d74a88696c402f638f83d6b733f3e

  • SHA256

    32ad4debd99aa2f13ce76dd248ff89710130e18e0427466179217256fba79357

  • SHA512

    0517a5d48a70aa423f3a7e6cf215f67fd9f1d6c6273642ffbe2e64a901d3ec207ef267e156a59ee71b4a7eb7e95a04ff427a83ce75cdf706ed596e3e984512d5

  • SSDEEP

    96:aXaIztK8DAKuxcDFlIdLfTXTWBkYPeDsOpDOxk7AVdbFRzNt:aXawo7KPKdLfykY2oOpDOi7ARz

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3363

212.193.30.230:3362

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Cantbeme@1

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      RFQ.exe

    • Size

      7KB

    • MD5

      97ebc55be1229c2fdec3edd582a4b7f5

    • SHA1

      2d27e899704d74a88696c402f638f83d6b733f3e

    • SHA256

      32ad4debd99aa2f13ce76dd248ff89710130e18e0427466179217256fba79357

    • SHA512

      0517a5d48a70aa423f3a7e6cf215f67fd9f1d6c6273642ffbe2e64a901d3ec207ef267e156a59ee71b4a7eb7e95a04ff427a83ce75cdf706ed596e3e984512d5

    • SSDEEP

      96:aXaIztK8DAKuxcDFlIdLfTXTWBkYPeDsOpDOxk7AVdbFRzNt:aXawo7KPKdLfykY2oOpDOi7ARz

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks