General
-
Target
9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.zip
-
Size
1021KB
-
Sample
210623-75yxkahwp6
-
MD5
06cdc76364c27b957f5b59560ed4c1d2
-
SHA1
3bb240353f9f58397dc611ec100d6e20e0c124b7
-
SHA256
a11a2b4877664bfacaa49ce46f161af9e03c0a044832260da0c6977c610cbaae
-
SHA512
56c2c1730ca717056bf41679de9785a1569f980624e7a3b35b0e4b178890beb5bc9a76241981cf30e92fd5ccc15c129e028dc1a20cdaa37ee9f391c9a65fce0e
Static task
static1
Behavioral task
behavioral1
Sample
9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin.exe
Resource
win7v20210408
Malware Config
Extracted
netwire
donphilongz.org:5005
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
uTGwFNvi
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
true
Targets
-
-
Target
9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e.bin
-
Size
1MB
-
MD5
aa4c23269c9b3026cf16225badbf7d5f
-
SHA1
78247b69edd8cf0bdc064fcae5ab31470c62ab3a
-
SHA256
9b61e86cf6899344b6e9564e1dbfacc24c8a99e9e9be8cd8f764dba7d4f7927e
-
SHA512
c9d6716616ddd6cd2ccf4679af1fbd2dff587f89ba89745c122d82fa8aabd6762a59534ad002c4ea5ddc9373328fbae7588f9d4b071f1083ce91915a73f7ab3c
-
NetWire RAT payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-