General
-
Target
09dcbd4090a6ae4c8d19ec1e357a017722c33a38abf3b610982a11e742c37da8
-
Size
786KB
-
Sample
220217-h5knhabfcq
-
MD5
1cdf8fa8ddae20c8c6a302e67f1f4acb
-
SHA1
b0dc15105131707ce20039df436463549fb4b913
-
SHA256
09dcbd4090a6ae4c8d19ec1e357a017722c33a38abf3b610982a11e742c37da8
-
SHA512
27e160208c212d7cbbe3293233c7bd6301eb0d6a54191560017af3a2ae90d286f369cd4180d7959de4071effc621f84996e4ae4f7ec02dfc45851755d4411a75
Static task
static1
Behavioral task
behavioral1
Sample
09dcbd4090a6ae4c8d19ec1e357a017722c33a38abf3b610982a11e742c37da8.exe
Resource
win7-en-20211208
Malware Config
Extracted
netwire
cctv-home.ddns.me:3360
cctv-home.serveftp.com:3360
-
activex_autorun
true
-
activex_key
{R5Q8L480-V2I5-AA1A-5GR0-RGV5X2101O0D}
-
copy_executable
true
-
delete_original
false
-
host_id
Money
-
install_path
%AppData%\Microcoft\operas.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
YwkrXNoi
-
offline_keylogger
true
-
password
dick
-
registry_autorun
true
-
startup_name
BrowsersPriv
-
use_mutex
true
Targets
-
-
Target
09dcbd4090a6ae4c8d19ec1e357a017722c33a38abf3b610982a11e742c37da8
-
Size
786KB
-
MD5
1cdf8fa8ddae20c8c6a302e67f1f4acb
-
SHA1
b0dc15105131707ce20039df436463549fb4b913
-
SHA256
09dcbd4090a6ae4c8d19ec1e357a017722c33a38abf3b610982a11e742c37da8
-
SHA512
27e160208c212d7cbbe3293233c7bd6301eb0d6a54191560017af3a2ae90d286f369cd4180d7959de4071effc621f84996e4ae4f7ec02dfc45851755d4411a75
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
NetWire RAT payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-