General
-
Target
db4e7a1c3664a7f8e0f814643e33e4a3adb46697f59f11adb89a18e3ca9b5e2e
-
Size
111KB
-
Sample
220216-zfq8escgc6
-
MD5
c0621a342236c63d90699d65705e57b5
-
SHA1
10e2506cdc615a4406c211adb4dd480ceef523c1
-
SHA256
db4e7a1c3664a7f8e0f814643e33e4a3adb46697f59f11adb89a18e3ca9b5e2e
-
SHA512
7ed00a0b0c62c01fac1753f0d2c08e8d806465331094b0c00b113f3fa7e7c3d6991fa1e07724b4f789014c937e1d6fc1dc46ccc3ad8958df9ac0e9a41a478fe1
Static task
static1
Behavioral task
behavioral1
Sample
db4e7a1c3664a7f8e0f814643e33e4a3adb46697f59f11adb89a18e3ca9b5e2e.exe
Resource
win7-en-20211208
Malware Config
Extracted
netwire
cctv-home.ddns.me:3360
cctv-home.serveftp.com:3360
-
activex_autorun
true
-
activex_key
{R5Q8L480-V2I5-AA1A-5GR0-RGV5X2101O0D}
-
copy_executable
true
-
delete_original
false
-
host_id
Money
-
install_path
%AppData%\Microcoft\operas.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
YwkrXNoi
-
offline_keylogger
true
-
password
dick
-
registry_autorun
true
-
startup_name
BrowsersPriv
-
use_mutex
true
Targets
-
-
Target
db4e7a1c3664a7f8e0f814643e33e4a3adb46697f59f11adb89a18e3ca9b5e2e
-
Size
111KB
-
MD5
c0621a342236c63d90699d65705e57b5
-
SHA1
10e2506cdc615a4406c211adb4dd480ceef523c1
-
SHA256
db4e7a1c3664a7f8e0f814643e33e4a3adb46697f59f11adb89a18e3ca9b5e2e
-
SHA512
7ed00a0b0c62c01fac1753f0d2c08e8d806465331094b0c00b113f3fa7e7c3d6991fa1e07724b4f789014c937e1d6fc1dc46ccc3ad8958df9ac0e9a41a478fe1
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
NetWire RAT payload
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-