General

  • Target

    df450053a3624d5a3ec698bbd0f36c73

  • Size

    312KB

  • Sample

    230321-ggyd1sgh87

  • MD5

    df450053a3624d5a3ec698bbd0f36c73

  • SHA1

    0b47abd8fafd93e3a511bccd02022e7ab970c267

  • SHA256

    77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2

  • SHA512

    5ec462faf27b7dcd11eea2152d7c5d335024e596ebe1d7afb492897091f3262fb3e6be6df6e84966c0086c8596dd8d10e1bd230cad393778f940e8b6af6ccce9

  • SSDEEP

    6144:WYa6AP1e4pG5Jy8Li7b/xxulxRv+lmIi7GMff56pw:WYqJQ5Jy8wklxROmT7GMIpw

Malware Config

Extracted

Family

netwire

C2

braboz.duckdns.org:1992

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    prosession

  • lock_executable

    false

  • offline_keylogger

    false

  • password

    golddigger

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      df450053a3624d5a3ec698bbd0f36c73

    • Size

      312KB

    • MD5

      df450053a3624d5a3ec698bbd0f36c73

    • SHA1

      0b47abd8fafd93e3a511bccd02022e7ab970c267

    • SHA256

      77d866ee2219b110e1999464f0d0c4913f4ad1d2b8dd4e2ca456da22cc18b9f2

    • SHA512

      5ec462faf27b7dcd11eea2152d7c5d335024e596ebe1d7afb492897091f3262fb3e6be6df6e84966c0086c8596dd8d10e1bd230cad393778f940e8b6af6ccce9

    • SSDEEP

      6144:WYa6AP1e4pG5Jy8Li7b/xxulxRv+lmIi7GMff56pw:WYqJQ5Jy8wklxROmT7GMIpw

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks