General

  • Target

    NSC 070047YI6 GBO93680 JANUARY ORDER.lzh

  • Size

    593KB

  • Sample

    230123-mv5m5sef2s

  • MD5

    a757d2acf4225a9556a5f80140ff4a65

  • SHA1

    c5b21f965aee6c74e713735e9bbbd79c746f5eeb

  • SHA256

    99a7781a00d13830758f2d12a22ddd3482c25746f4eb8bbbd589570e12ceeb52

  • SHA512

    5e4ed81e1a6e762733a99db9881119ccfd460f77b1e9b9a89beb540b79cc4ced725d4000fe9430676a353f25d1a5bdbd4dec164a5759fef2bcccf65aeefd89e0

  • SSDEEP

    12288:1HWjNnqdiqRtp4qn89lH2i9aSPRRFGfPASYJZQ45uNr/HpmbRSWU7WzROCo:YjNnqQqRH8/WdSbUlY6NToRSh7Wz0Co

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:6063

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    TestLink.lnk

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    Password123@

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      NSC 070047YI6 GBO93680 JANUARY ORDER.exe

    • Size

      668KB

    • MD5

      223b07d0d0f8f545b660ee7198e27ba9

    • SHA1

      13ad5ae4e4df4b1349cb2f4c45ddbecc92b94602

    • SHA256

      a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570

    • SHA512

      e34615a0cbf95495aa87f076c87b0b83ec661dba5dfbc9e1acbe8bc16d019e43a5e609073fc632d536f2ac3648013b6d29b2be7aa61dc0b938164e7627d7c58a

    • SSDEEP

      12288:yduL66BBZ9/XT5npnRSU+L3IvaMzJ2JAtML7fYYsoefV:9LVP3r51wU+Qd1XMLL9shfV

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks