General
-
Target
SDA EMV Chip Writer By Paws.exe
-
Size
3.8MB
-
Sample
241119-h3lssa1pey
-
MD5
30ee6aaf50e4b4369e0a1634afbcd757
-
SHA1
b2ee5b9c07098a1058ae9778ad59396b8b8c9878
-
SHA256
7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06
-
SHA512
bec9661218c6fe09f7c048e4264def14815da93ab258209e3acc2e3e72b5f08aa6f6aea14c24973f2c0abbe3a54f1e820b3f712c8a0d8a8d474d6e19e4b73cec
-
SSDEEP
98304:tMryTmxddk6tVOfALLIVjnz25r/8XnveOZxho:vKxdBt84Ehur/82iPo
Static task
static1
Malware Config
Extracted
netwire
local.cable-modem.org:3361
teamviewer.ddns.net:3361
optic.cable-modem.org:3361
teamviewer.ddns.me:3361
logmein.loginto.me:3361
-
activex_autorun
true
-
activex_key
{FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB}
-
copy_executable
true
-
delete_original
false
-
host_id
BTC2020
-
install_path
%AppData%\instal\crhomeAT64bit.exe
-
keylogger_dir
%AppData%\0pera\metaolgs.dat\
-
lock_executable
false
-
mutex
NLBJEoGj
-
offline_keylogger
true
-
password
anjing
-
registry_autorun
true
-
startup_name
tvnserver
-
use_mutex
true
Targets
-
-
Target
SDA EMV Chip Writer By Paws.exe
-
Size
3.8MB
-
MD5
30ee6aaf50e4b4369e0a1634afbcd757
-
SHA1
b2ee5b9c07098a1058ae9778ad59396b8b8c9878
-
SHA256
7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06
-
SHA512
bec9661218c6fe09f7c048e4264def14815da93ab258209e3acc2e3e72b5f08aa6f6aea14c24973f2c0abbe3a54f1e820b3f712c8a0d8a8d474d6e19e4b73cec
-
SSDEEP
98304:tMryTmxddk6tVOfALLIVjnz25r/8XnveOZxho:vKxdBt84Ehur/82iPo
-
NetWire RAT payload
-
Netwire family
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1