General

  • Target

    2025-05-14_85e414fdd2e447e03d4f3c724d1b29b8_amadey_avoslocker_black-basta_cobalt-strike_elex_luca-stealer_qakbot

  • Size

    273KB

  • Sample

    250514-bmdznstvas

  • MD5

    85e414fdd2e447e03d4f3c724d1b29b8

  • SHA1

    db980ed136f642dc1d8e9b3926eeb6bff805616d

  • SHA256

    954f5e5d737d2af5ee509c5661dbb95819261eb90d7131f1fde9c3c798bb5d5d

  • SHA512

    bd910673ab6e22e6299df98385ef658f88ac18fd9c9582ed87f5d0ba1fa1e65201ec973ef0a9d933f2ceb7fbd9a2eb56b9a83f909b1f0d54f167b564fce132a7

  • SSDEEP

    6144:ebhnot4+sbOAtbkfHLDiT6OzR8Q0l+/NyqRKbhoXqqD8Xck8B:elnot4+UwLDiT6OzR8llAgqbB

Malware Config

Extracted

Family

netwire

C2

blockchainsync.dynns.com:5002

Attributes
  • activex_autorun

    false

  • activex_key

    {P53X5308-AC7D-A2X0-Q2GT-70K67S7URI1O}

  • copy_executable

    false

  • delete_original

    false

  • host_id

    FULLR-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • lock_executable

    false

  • mutex

    PvvshbTL

  • offline_keylogger

    false

  • password

    joker9

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      2025-05-14_85e414fdd2e447e03d4f3c724d1b29b8_amadey_avoslocker_black-basta_cobalt-strike_elex_luca-stealer_qakbot

    • Size

      273KB

    • MD5

      85e414fdd2e447e03d4f3c724d1b29b8

    • SHA1

      db980ed136f642dc1d8e9b3926eeb6bff805616d

    • SHA256

      954f5e5d737d2af5ee509c5661dbb95819261eb90d7131f1fde9c3c798bb5d5d

    • SHA512

      bd910673ab6e22e6299df98385ef658f88ac18fd9c9582ed87f5d0ba1fa1e65201ec973ef0a9d933f2ceb7fbd9a2eb56b9a83f909b1f0d54f167b564fce132a7

    • SSDEEP

      6144:ebhnot4+sbOAtbkfHLDiT6OzR8Q0l+/NyqRKbhoXqqD8Xck8B:elnot4+UwLDiT6OzR8llAgqbB

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Netwire family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v16

Tasks