General

  • Target

    322d2fdb6bdefc516d4be643bce9f464abdaf8aa24d50ac30bcf9d59d084c8a1

  • Size

    269KB

  • Sample

    230129-t2wr5sfb9v

  • MD5

    f61e07061a9240bcc953a8a51aca7145

  • SHA1

    3d209df832fef255d971c7c3f9d71ffda29a06b5

  • SHA256

    322d2fdb6bdefc516d4be643bce9f464abdaf8aa24d50ac30bcf9d59d084c8a1

  • SHA512

    c0e0e9d2cfaaf252b3401ab44d695ff895b6cefad0e0692df2b2577356546a7803eb8579aa95f297a4640b3ebeb12b9a47fd9dbc5b01ff5957523c547e721aac

  • SSDEEP

    6144:U8vJG2WGCVV+qyb6UPPWdRTdPfLipUwCzoNeEKFAqBOPjnkXbT:UYJIXVVbY6UPP6RTdPBwNeE+QbO

Malware Config

Extracted

Family

netwire

C2

iammrjeff00.duckdns.org:1181

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    MR-J

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password1

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      Quotation CTT5684.exe

    • Size

      577KB

    • MD5

      870937bfc582473b8b55263cdd9de6c2

    • SHA1

      53ef5972b622a434b1fe5e4697445a54e8b387b1

    • SHA256

      5e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886

    • SHA512

      9b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6

    • SSDEEP

      12288:vUWcNPJg+MO3/vSLDrw32Zl1zLbHWEpPmB+Rm4mXN4HJUCePad0VL6lwP0FzWSgk:/cJArl1zLbHWEpPmB+Q4mXKHKCePad0w

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks