General
-
Target
ac7f583d4b5d749a597e9dc4b3b98ed0N
-
Size
178KB
-
Sample
240914-cxqxnasclp
-
MD5
ac7f583d4b5d749a597e9dc4b3b98ed0
-
SHA1
404104cfb80b5b58770d0ec0444a077944275538
-
SHA256
482a32a7212835f9409569d63508576bc835e22b818c91465f334c667ad083b1
-
SHA512
56bbef71a31cf587ec4cc86eaf70302de09873b5ddbaf99205352431523b4819f159aaae96c13e037ef402ace6c76afc211dbe5ffb9fe66549fd2228b6546065
-
SSDEEP
3072:I7VNBmjq8Kmvn6rIVTYC7H2rAalUW4R6rv3p8WStxlQu2VCPwc:I7VzxYnWI6agAalr4UrPp8WStPQu28b
Malware Config
Extracted
netwire
wallou.publicvm.com:3365
mediafire.duckdns.org:3365
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
DLL2
-
keylogger_dir
%AppData%\System\
-
lock_executable
true
-
mutex
KgpcGWmM
-
offline_keylogger
true
-
password
Reborn
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
ac7f583d4b5d749a597e9dc4b3b98ed0N
-
Size
178KB
-
MD5
ac7f583d4b5d749a597e9dc4b3b98ed0
-
SHA1
404104cfb80b5b58770d0ec0444a077944275538
-
SHA256
482a32a7212835f9409569d63508576bc835e22b818c91465f334c667ad083b1
-
SHA512
56bbef71a31cf587ec4cc86eaf70302de09873b5ddbaf99205352431523b4819f159aaae96c13e037ef402ace6c76afc211dbe5ffb9fe66549fd2228b6546065
-
SSDEEP
3072:I7VNBmjq8Kmvn6rIVTYC7H2rAalUW4R6rv3p8WStxlQu2VCPwc:I7VzxYnWI6agAalr4UrPp8WStPQu28b
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1