General
-
Target
Report.vbs
-
Size
2KB
-
Sample
210624-ch3dg92bzs
-
MD5
a8f586a5d679762297d619757ee0b3d4
-
SHA1
f7957547bba9c521db2714bcd2f30d446444ed14
-
SHA256
4c9598c117cec5c9638aedfb48b1c8b18181f2e5265b723ff0210f9f79ef3419
-
SHA512
9253e310755262e16d90075f1507ecc9cf5c720af53f9f286f4a439163fda7187d400ad939ebf6afaf79cdf0926439cc6672f6421b39319e7c4e7e1cf1b50e2c
Static task
static1
Behavioral task
behavioral1
Sample
Report.vbs
Resource
win7v20210410
Malware Config
Extracted
https://ia601503.us.archive.org/2/items/bypass_xca/bypass_xca.TXT
Extracted
https://ia601502.us.archive.org/24/items/server-lxx/Server_lxx_.txt
Extracted
netwire
185.19.85.172:1723
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
Report.vbs
-
Size
2KB
-
MD5
a8f586a5d679762297d619757ee0b3d4
-
SHA1
f7957547bba9c521db2714bcd2f30d446444ed14
-
SHA256
4c9598c117cec5c9638aedfb48b1c8b18181f2e5265b723ff0210f9f79ef3419
-
SHA512
9253e310755262e16d90075f1507ecc9cf5c720af53f9f286f4a439163fda7187d400ad939ebf6afaf79cdf0926439cc6672f6421b39319e7c4e7e1cf1b50e2c
-
NetWire RAT payload
-
Blocklisted process makes network request
-
Suspicious use of SetThreadContext
-