General

  • Target

    1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe

  • Size

    1.1MB

  • Sample

    230502-16kzrscg76

  • MD5

    9c6d1aca02db373a52401485c376d87e

  • SHA1

    9cc4435729a11d7c524d761b67de508b4474b206

  • SHA256

    1a2c28a7682c26ddb97885fc056dc72b2c2df437c5fa3031226e34775095df06

  • SHA512

    9f4aaadf939a97e2354f18ef1943594edf2c6eb04852e4fecc68ff1eeee9146ff1ec1ac26191f8c9435e39b765da23f14aa835313de670d3235e6b4eb890955d

  • SSDEEP

    24576:iCdxte/80jYLT3U1jfsWa/69ryeoEuGfYsoRzDQ:zw80cTsjkWa/FR4

Malware Config

Extracted

Family

netwire

C2

halwachi50.mymediapc.net:5868

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      1A2C28A7682C26DDB97885FC056DC72B2C2DF437C5FA3.exe

    • Size

      1.1MB

    • MD5

      9c6d1aca02db373a52401485c376d87e

    • SHA1

      9cc4435729a11d7c524d761b67de508b4474b206

    • SHA256

      1a2c28a7682c26ddb97885fc056dc72b2c2df437c5fa3031226e34775095df06

    • SHA512

      9f4aaadf939a97e2354f18ef1943594edf2c6eb04852e4fecc68ff1eeee9146ff1ec1ac26191f8c9435e39b765da23f14aa835313de670d3235e6b4eb890955d

    • SSDEEP

      24576:iCdxte/80jYLT3U1jfsWa/69ryeoEuGfYsoRzDQ:zw80cTsjkWa/FR4

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks