General
-
Target
8c50b75ddc7d9027f25ba64b6a79a28ca8cd92da1b53d474867380f028d2ec17
-
Size
252KB
-
Sample
220216-3vdsesfgcm
-
MD5
011899b8005bf3ca3dfcbc6b50b31c11
-
SHA1
b27dbaf633b9e07ed5e3b0101101cea2bed827a9
-
SHA256
8c50b75ddc7d9027f25ba64b6a79a28ca8cd92da1b53d474867380f028d2ec17
-
SHA512
785f59466934feeada7f54f25e5610decabb68a0381b601223a406693a938d73f6184fdc8a5e08f12ea137a1b3c6061a56359f231fe058335c03b04d8d4feecc
Static task
static1
Behavioral task
behavioral1
Sample
8c50b75ddc7d9027f25ba64b6a79a28ca8cd92da1b53d474867380f028d2ec17.exe
Resource
win7-en-20211208
Malware Config
Extracted
netwire
cctv-home.ddns.me:3360
cctv-home.serveftp.com:3360
-
activex_autorun
true
-
activex_key
{R5Q8L480-V2I5-AA1A-5GR0-RGV5X2101O0D}
-
copy_executable
true
-
delete_original
false
-
host_id
Money
-
install_path
%AppData%\Microcoft\operas.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
YwkrXNoi
-
offline_keylogger
true
-
password
dick
-
registry_autorun
true
-
startup_name
BrowsersPriv
-
use_mutex
true
Targets
-
-
Target
8c50b75ddc7d9027f25ba64b6a79a28ca8cd92da1b53d474867380f028d2ec17
-
Size
252KB
-
MD5
011899b8005bf3ca3dfcbc6b50b31c11
-
SHA1
b27dbaf633b9e07ed5e3b0101101cea2bed827a9
-
SHA256
8c50b75ddc7d9027f25ba64b6a79a28ca8cd92da1b53d474867380f028d2ec17
-
SHA512
785f59466934feeada7f54f25e5610decabb68a0381b601223a406693a938d73f6184fdc8a5e08f12ea137a1b3c6061a56359f231fe058335c03b04d8d4feecc
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
NetWire RAT payload
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-