General

  • Target

    f9e2c79659921f4f0fa54e6d6d960f8e83c61577c2d0601ab2d56c65879b323f

  • Size

    911KB

  • Sample

    221128-brag2shf9t

  • MD5

    00ca2f10a413071f98f66b830aa9fe88

  • SHA1

    1d86fe0eb3d328221eb1a822f2ee825e78f5c520

  • SHA256

    f9e2c79659921f4f0fa54e6d6d960f8e83c61577c2d0601ab2d56c65879b323f

  • SHA512

    31cf5e4dabd966ead74a2e47d7307f0c88af25c58ec27118a67e73823d4f53abca9c98a74f7a708d30eb65352115990226d2c4a38a7f3d886e4cfa7780c6f2f4

  • SSDEEP

    12288:+K2mhAMJ/cPlhTrT58h7UZ6+5d2J/R+OOWy2PSQQhcuchCpjAHIC:v2O/GlRrK7nJQ5WRPuCXCdTC

Malware Config

Targets

    • Target

      f9e2c79659921f4f0fa54e6d6d960f8e83c61577c2d0601ab2d56c65879b323f

    • Size

      911KB

    • MD5

      00ca2f10a413071f98f66b830aa9fe88

    • SHA1

      1d86fe0eb3d328221eb1a822f2ee825e78f5c520

    • SHA256

      f9e2c79659921f4f0fa54e6d6d960f8e83c61577c2d0601ab2d56c65879b323f

    • SHA512

      31cf5e4dabd966ead74a2e47d7307f0c88af25c58ec27118a67e73823d4f53abca9c98a74f7a708d30eb65352115990226d2c4a38a7f3d886e4cfa7780c6f2f4

    • SSDEEP

      12288:+K2mhAMJ/cPlhTrT58h7UZ6+5d2J/R+OOWy2PSQQhcuchCpjAHIC:v2O/GlRrK7nJQ5WRPuCXCdTC

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Tasks