General
-
Target
7c9df5ab3b23d6f93f280a7b29fdcd39cd5f68100a83d3b30aefee4990f34aef
-
Size
497KB
-
Sample
220520-2eh7jaacgj
-
MD5
17bdf63a8615bdcd21325ad817d0b7b7
-
SHA1
5aaa02ee090c3eeeb997c7a6d5ec683503981ea0
-
SHA256
7c9df5ab3b23d6f93f280a7b29fdcd39cd5f68100a83d3b30aefee4990f34aef
-
SHA512
63168ddcf9fcb8b2b6e05da932a2f54dca9cc591109fc06559b202b9deb35c6a44826a0fb248f6e894fe54b435d78c90a282a352fd4a21eb1c017dbde4569c5d
Malware Config
Extracted
netwire
sepp.myq-see.com:2001
-
activex_autorun
true
-
activex_key
{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
XdWObmml
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Targets
-
-
Target
0w1XziesiBaxbYs.exe
-
Size
520KB
-
MD5
f0cac1110e145d3b260ad6be1566dc10
-
SHA1
f0cf3f3d9ff962752dbf993ac5b75f1d574e0450
-
SHA256
506445199001be9096b17efc9f3e2a8025d0b167b1ce581831366b4d00e875dc
-
SHA512
b93c8925b7bb992debd30a374ad3c0e7a2eecfc5ff7a6972b02753e9e04f0a7886034f40fd20979734c49c1cdb3ff05d41486c4ffbcbfe07141ace3250ae80a2
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Modifies Installed Components in the registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-