General
-
Target
Absa.exe
-
Size
1.1MB
-
Sample
210422-tyxtlelz3s
-
MD5
543b483edf1e71d19b7e2ca64ce9e2d9
-
SHA1
9c91f6bf2f7d23f288119d95999e107308151f8a
-
SHA256
71bb1f2e0a1aecf13985a354d05fb522c85746e08a01a858a4473237a96e85fd
-
SHA512
b0f2111e1a7c6977548b983cfb1abc92b9d2690d04d7c85ef0cde35b869fcac9666163821212088dc90a5afb1c533adf69d7bbc53939caea6996a6187a9006a7
Malware Config
Extracted
netwire
194.5.97.181:3383
194.5.97.181:3385
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
London@1961
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
Absa.exe
-
Size
1.1MB
-
MD5
543b483edf1e71d19b7e2ca64ce9e2d9
-
SHA1
9c91f6bf2f7d23f288119d95999e107308151f8a
-
SHA256
71bb1f2e0a1aecf13985a354d05fb522c85746e08a01a858a4473237a96e85fd
-
SHA512
b0f2111e1a7c6977548b983cfb1abc92b9d2690d04d7c85ef0cde35b869fcac9666163821212088dc90a5afb1c533adf69d7bbc53939caea6996a6187a9006a7
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-