General
-
Target
suspicious.7z
-
Size
153KB
-
Sample
210622-egjfz63ajx
-
MD5
c17d89accbb49871febfdf9232933eb7
-
SHA1
fee016c094d77effaa4684b6e7b662cce63a3deb
-
SHA256
ad11544500a2b130ea4bd8f77a86a65d2c4d08efd6bb80de98a2bb5703cdbb0f
-
SHA512
2346830d8499d1af164ba14b58f6e5d73cc73e32e53903875cb7539893df112501fa186c2686f1804cb8dd4ad2be797ebc828c27e35ae559271ab17dbd1d897c
Static task
static1
Behavioral task
behavioral1
Sample
suspicious.file.exe
Resource
win7v20210408
Malware Config
Extracted
netwire
37.233.101.73:8888
213.152.162.104:8747
213.152.162.170:8747
213.152.162.109:8747
213.152.162.89:8747
109.232.227.138:8747
109.232.227.133:8747
213.152.161.211:8747
213.152.162.94:8747
213.152.161.35:8747
213.152.180.5:8747
-
activex_autorun
true
-
activex_key
{H15R52OJ-8CJI-H436-22TJ-P25072J3Q326}
-
copy_executable
true
-
delete_original
true
-
host_id
IP
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
bmhJQHdn
-
offline_keylogger
true
-
password
DAWAJkurwoKASEniePIERDOL
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
true
Targets
-
-
Target
suspicious.file
-
Size
161KB
-
MD5
0255bd3821f28877f068e8d9dc7cc22b
-
SHA1
73064d0b8d0c9359665d31db4a6e8e19a8d47b87
-
SHA256
1c7f0b3ab5e64a3a8d2182e10b8c0ab78c63c505273505fc50fc9810962ab83b
-
SHA512
812ed4fe0d44c67514e808f451e46d5282a8e758e6dbb732e3d8f8d3ddf6223f69bed980792ad0852f66d895f8752328f42a577785c57747391598e915cd30d9
-
NetWire RAT payload
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-