General
-
Target
e7c8f83116d4cff278c25f184ed0ac7b70a28df079190b724fa9bd2df0c48929
-
Size
2.5MB
-
Sample
220216-yzb26sced5
-
MD5
8e2b84bf3b7ce719245baa430aa8089a
-
SHA1
23b77c2de55fa970cfa6858cbc5013adb2ead985
-
SHA256
e7c8f83116d4cff278c25f184ed0ac7b70a28df079190b724fa9bd2df0c48929
-
SHA512
ff8579108d4fcb9bf0505a0c680feb6cf03753b34571f5f0d40463c20fc923c20651e79c1788df9d348e1218475503db040fbb3e05f7619cce069315dcccd539
Static task
static1
Behavioral task
behavioral1
Sample
e7c8f83116d4cff278c25f184ed0ac7b70a28df079190b724fa9bd2df0c48929.exe
Resource
win7-en-20211208
Malware Config
Extracted
netwire
cctv-home.ddns.me:3360
cctv-home.serveftp.com:3360
-
activex_autorun
true
-
activex_key
{R5Q8L480-V2I5-AA1A-5GR0-RGV5X2101O0D}
-
copy_executable
true
-
delete_original
false
-
host_id
Money
-
install_path
%AppData%\Microcoft\operas.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
YwkrXNoi
-
offline_keylogger
true
-
password
dick
-
registry_autorun
true
-
startup_name
BrowsersPriv
-
use_mutex
true
Targets
-
-
Target
e7c8f83116d4cff278c25f184ed0ac7b70a28df079190b724fa9bd2df0c48929
-
Size
2.5MB
-
MD5
8e2b84bf3b7ce719245baa430aa8089a
-
SHA1
23b77c2de55fa970cfa6858cbc5013adb2ead985
-
SHA256
e7c8f83116d4cff278c25f184ed0ac7b70a28df079190b724fa9bd2df0c48929
-
SHA512
ff8579108d4fcb9bf0505a0c680feb6cf03753b34571f5f0d40463c20fc923c20651e79c1788df9d348e1218475503db040fbb3e05f7619cce069315dcccd539
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
NetWire RAT payload
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-