General
-
Target
729f53999f24ee192bd9770bed62d1a23697dc2b8566d3403eace9c5d3cb51a2
-
Size
102KB
-
Sample
220217-a9flcagdaj
-
MD5
d2f5ab8472b4450986d54c658a3f202c
-
SHA1
62f31324fff31b60a8230ece42f0f9043aa7e1a9
-
SHA256
729f53999f24ee192bd9770bed62d1a23697dc2b8566d3403eace9c5d3cb51a2
-
SHA512
c44fc7a6d762a7188c3ffa3fae1a62f096137b932497296493315e809e7eb928e402c86fdf5f7c3c4e50b6c0d973fe95f5dfe9195960a47f22f9d0f17dff45db
Static task
static1
Behavioral task
behavioral1
Sample
729f53999f24ee192bd9770bed62d1a23697dc2b8566d3403eace9c5d3cb51a2.exe
Resource
win7-en-20211208
Malware Config
Extracted
netwire
cctv-home.ddns.me:3360
cctv-home.serveftp.com:3360
-
activex_autorun
true
-
activex_key
{R5Q8L480-V2I5-AA1A-5GR0-RGV5X2101O0D}
-
copy_executable
true
-
delete_original
false
-
host_id
Money
-
install_path
%AppData%\Microcoft\operas.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
YwkrXNoi
-
offline_keylogger
true
-
password
dick
-
registry_autorun
true
-
startup_name
BrowsersPriv
-
use_mutex
true
Targets
-
-
Target
729f53999f24ee192bd9770bed62d1a23697dc2b8566d3403eace9c5d3cb51a2
-
Size
102KB
-
MD5
d2f5ab8472b4450986d54c658a3f202c
-
SHA1
62f31324fff31b60a8230ece42f0f9043aa7e1a9
-
SHA256
729f53999f24ee192bd9770bed62d1a23697dc2b8566d3403eace9c5d3cb51a2
-
SHA512
c44fc7a6d762a7188c3ffa3fae1a62f096137b932497296493315e809e7eb928e402c86fdf5f7c3c4e50b6c0d973fe95f5dfe9195960a47f22f9d0f17dff45db
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
NetWire RAT payload
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-