General
-
Target
D1682AA725C47B89C2066CFEAA8B3B55.exe
-
Size
793KB
-
Sample
210724-nrywbp1j3s
-
MD5
d1682aa725c47b89c2066cfeaa8b3b55
-
SHA1
c802cfd2f442200bafaf6a5fbeb70f52ee846bb2
-
SHA256
c539c08e04ef8ab4ee18e69ab3346214ffcbfd262679c558f7b5ca651767d61d
-
SHA512
f33216e03bbbb28c6238c903eec0871d6ed4cf7ebe15ebd5ac0dbfd9c468e661e1ec3a9010c571b45176a549f15055b7b85e98c5a35ece4a5f22ed311943b43f
Static task
static1
Behavioral task
behavioral1
Sample
D1682AA725C47B89C2066CFEAA8B3B55.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
D1682AA725C47B89C2066CFEAA8B3B55.exe
Resource
win10v20210408
Malware Config
Extracted
netwire
nozomi.takanome.io:9030
hikari.takanome.io:9030
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Syslog\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Jtenike70+
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
D1682AA725C47B89C2066CFEAA8B3B55.exe
-
Size
793KB
-
MD5
d1682aa725c47b89c2066cfeaa8b3b55
-
SHA1
c802cfd2f442200bafaf6a5fbeb70f52ee846bb2
-
SHA256
c539c08e04ef8ab4ee18e69ab3346214ffcbfd262679c558f7b5ca651767d61d
-
SHA512
f33216e03bbbb28c6238c903eec0871d6ed4cf7ebe15ebd5ac0dbfd9c468e661e1ec3a9010c571b45176a549f15055b7b85e98c5a35ece4a5f22ed311943b43f
Score10/10-
Modifies WinLogon for persistence
-
NetWire RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-