General

  • Target

    SDA EMV Chip Writer By Paws.exe

  • Size

    3.8MB

  • Sample

    241119-h3lssa1pey

  • MD5

    30ee6aaf50e4b4369e0a1634afbcd757

  • SHA1

    b2ee5b9c07098a1058ae9778ad59396b8b8c9878

  • SHA256

    7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06

  • SHA512

    bec9661218c6fe09f7c048e4264def14815da93ab258209e3acc2e3e72b5f08aa6f6aea14c24973f2c0abbe3a54f1e820b3f712c8a0d8a8d474d6e19e4b73cec

  • SSDEEP

    98304:tMryTmxddk6tVOfALLIVjnz25r/8XnveOZxho:vKxdBt84Ehur/82iPo

Malware Config

Extracted

Family

netwire

C2

local.cable-modem.org:3361

teamviewer.ddns.net:3361

optic.cable-modem.org:3361

teamviewer.ddns.me:3361

logmein.loginto.me:3361

Attributes
  • activex_autorun

    true

  • activex_key

    {FV27BA78-2S2J-Y2KF-44D4-X6XR4251FJEB}

  • copy_executable

    true

  • delete_original

    false

  • host_id

    BTC2020

  • install_path

    %AppData%\instal\crhomeAT64bit.exe

  • keylogger_dir

    %AppData%\0pera\metaolgs.dat\

  • lock_executable

    false

  • mutex

    NLBJEoGj

  • offline_keylogger

    true

  • password

    anjing

  • registry_autorun

    true

  • startup_name

    tvnserver

  • use_mutex

    true

Targets

    • Target

      SDA EMV Chip Writer By Paws.exe

    • Size

      3.8MB

    • MD5

      30ee6aaf50e4b4369e0a1634afbcd757

    • SHA1

      b2ee5b9c07098a1058ae9778ad59396b8b8c9878

    • SHA256

      7f4d0810b884d9647d5374550187a123f009ce8f6450d5dab818a2384358fb06

    • SHA512

      bec9661218c6fe09f7c048e4264def14815da93ab258209e3acc2e3e72b5f08aa6f6aea14c24973f2c0abbe3a54f1e820b3f712c8a0d8a8d474d6e19e4b73cec

    • SSDEEP

      98304:tMryTmxddk6tVOfALLIVjnz25r/8XnveOZxho:vKxdBt84Ehur/82iPo

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Netwire family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Executes dropped EXE

    • Adds Run key to start application

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks