General
-
Target
59e1199f32a8f13b0efbdd092b02b165.exe
-
Size
631KB
-
Sample
210503-zcg55b7ps2
-
MD5
59e1199f32a8f13b0efbdd092b02b165
-
SHA1
aed745bc896ea20b20859f55a3a18ca10e1463e3
-
SHA256
9133c16f469cf207152a1a8b2d8f0c59533d2f632b17828973c6a6a37b31fa97
-
SHA512
b6607e0246b398db47de1b852e0b94ab311c5d0d423ce735a6e537b13563f381112afb9311fd6a80a580075dfccfd0f29d4ac8cf224cbd9eee7dbdda75899f8d
Static task
static1
Behavioral task
behavioral1
Sample
59e1199f32a8f13b0efbdd092b02b165.exe
Resource
win7v20210408
Malware Config
Extracted
netwire
79.134.225.52:31360
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
- keylogger_dir
-
lock_executable
false
- mutex
-
offline_keylogger
false
-
password
Favor1000$
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
59e1199f32a8f13b0efbdd092b02b165.exe
-
Size
631KB
-
MD5
59e1199f32a8f13b0efbdd092b02b165
-
SHA1
aed745bc896ea20b20859f55a3a18ca10e1463e3
-
SHA256
9133c16f469cf207152a1a8b2d8f0c59533d2f632b17828973c6a6a37b31fa97
-
SHA512
b6607e0246b398db47de1b852e0b94ab311c5d0d423ce735a6e537b13563f381112afb9311fd6a80a580075dfccfd0f29d4ac8cf224cbd9eee7dbdda75899f8d
-
NetWire RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-