General

  • Target

    244397d4ec28114ed99e163dd9236e5f75ffd84540e7d16212d93508a3e7889c

  • Size

    171KB

  • Sample

    221130-scjkvadd3t

  • MD5

    84f1f621d49f3492bb3fa019f3191435

  • SHA1

    e5075b0bf2937b1f22102b4f46566f5fa10acb24

  • SHA256

    244397d4ec28114ed99e163dd9236e5f75ffd84540e7d16212d93508a3e7889c

  • SHA512

    8ecab39cc1b984eb6d2f1b337a99de66a666b9c32333800e53a2b1a7df378d4b65d81457d99a3b7da7501d1f0a25779f723f7d4ee89e23f6bafa8d2871f7a84c

  • SSDEEP

    3072:7FdEJIVzofEDRksPw6zCyOPhB5WobZanuD10biGKPaA+9uYGDugb/He:xd/3KxQMB/6k2bNA+9tGD5b

Malware Config

Extracted

Family

netwire

C2

zicopele2018.sytes.net:3584

zicopele2018backup.sytes.net:3584

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

    vkRChWpP

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    true

Targets

    • Target

      244397d4ec28114ed99e163dd9236e5f75ffd84540e7d16212d93508a3e7889c

    • Size

      171KB

    • MD5

      84f1f621d49f3492bb3fa019f3191435

    • SHA1

      e5075b0bf2937b1f22102b4f46566f5fa10acb24

    • SHA256

      244397d4ec28114ed99e163dd9236e5f75ffd84540e7d16212d93508a3e7889c

    • SHA512

      8ecab39cc1b984eb6d2f1b337a99de66a666b9c32333800e53a2b1a7df378d4b65d81457d99a3b7da7501d1f0a25779f723f7d4ee89e23f6bafa8d2871f7a84c

    • SSDEEP

      3072:7FdEJIVzofEDRksPw6zCyOPhB5WobZanuD10biGKPaA+9uYGDugb/He:xd/3KxQMB/6k2bNA+9tGD5b

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Drops startup file

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Tasks