General
-
Target
b6e73311b84d9cb907d7f3988b50272f7aacb443d5f96712952ce2dd6ae6102b
-
Size
1.5MB
-
Sample
220216-1rz55sefgp
-
MD5
ff5779e8d7f9aede2acbf785170794a1
-
SHA1
105ff45ef7217bae048069c14f28f519c482990f
-
SHA256
b6e73311b84d9cb907d7f3988b50272f7aacb443d5f96712952ce2dd6ae6102b
-
SHA512
917d34fb99634303bd5fc81d60b012bdba19894138c5910ebc9077543a80c5991888837cd851cbad1f566f96b0fd9898acf43d870e96dd9fafe3662f7b6ad428
Static task
static1
Behavioral task
behavioral1
Sample
b6e73311b84d9cb907d7f3988b50272f7aacb443d5f96712952ce2dd6ae6102b.exe
Resource
win7-en-20211208
Malware Config
Extracted
netwire
cctv-home.ddns.me:3360
cctv-home.serveftp.com:3360
-
activex_autorun
true
-
activex_key
{R5Q8L480-V2I5-AA1A-5GR0-RGV5X2101O0D}
-
copy_executable
true
-
delete_original
false
-
host_id
Money
-
install_path
%AppData%\Microcoft\operas.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
YwkrXNoi
-
offline_keylogger
true
-
password
dick
-
registry_autorun
true
-
startup_name
BrowsersPriv
-
use_mutex
true
Targets
-
-
Target
b6e73311b84d9cb907d7f3988b50272f7aacb443d5f96712952ce2dd6ae6102b
-
Size
1.5MB
-
MD5
ff5779e8d7f9aede2acbf785170794a1
-
SHA1
105ff45ef7217bae048069c14f28f519c482990f
-
SHA256
b6e73311b84d9cb907d7f3988b50272f7aacb443d5f96712952ce2dd6ae6102b
-
SHA512
917d34fb99634303bd5fc81d60b012bdba19894138c5910ebc9077543a80c5991888837cd851cbad1f566f96b0fd9898acf43d870e96dd9fafe3662f7b6ad428
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
NetWire RAT payload
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-