General
-
Target
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin
-
Size
212KB
-
Sample
210719-jnjdl2287e
-
MD5
aeae64fab4622ed23e1c61d26de74249
-
SHA1
5dabbf8093eed124e64a7e39c83e14976a74b8bb
-
SHA256
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065
-
SHA512
ca6602e3ee04b174581b90cde554a6bdf5f7560fd1ccbae26982df297e8daf18db63219029322ff2e2ea950d8a284311d7486086c9048d1b247f2dd62a953050
Malware Config
Extracted
netwire
127.0.0.1:3360
chrisle79.ddns.net:4414
jacknop79.ddns.net:4414
smath79.ddns.net:4414
whatis79.ddns.net:4414
goodgt79.ddns.net:4414
bonding79.ddns.net:4414
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
June 2021
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Password2$
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065.bin
-
Size
212KB
-
MD5
aeae64fab4622ed23e1c61d26de74249
-
SHA1
5dabbf8093eed124e64a7e39c83e14976a74b8bb
-
SHA256
355059ce41fbbee772dd141c99c2a8e4e9d9d9769d1892ab27422d1ca91c5065
-
SHA512
ca6602e3ee04b174581b90cde554a6bdf5f7560fd1ccbae26982df297e8daf18db63219029322ff2e2ea950d8a284311d7486086c9048d1b247f2dd62a953050
Score10/10-
Modifies WinLogon for persistence
-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-