General
-
Target
13afc1f9891355d495a626a2a7cb4e21d7dc3c29339d9ca162730ae7f097781d
-
Size
385KB
-
Sample
220520-2nfsrsffd7
-
MD5
b97a86a838310932be2be42f92aa8474
-
SHA1
9196df6d6cbb20f6a9e7472aa7a3e602a63084dc
-
SHA256
13afc1f9891355d495a626a2a7cb4e21d7dc3c29339d9ca162730ae7f097781d
-
SHA512
41deed6a30868813dde538b9ef85dd1c3decadfb63f01ac50b494ad19d5c8b0505aab712df10ef611b3cd7dec799a4da2f5017f41c657a20ba0468e7aa5ff926
Static task
static1
Behavioral task
behavioral1
Sample
lAKdWjhOYMA6YfG.exe
Resource
win7-20220414-en
Malware Config
Extracted
netwire
sepp.myq-see.com:2001
-
activex_autorun
true
-
activex_key
{50L4QLIK-5N0E-1U7P-5W65-RDN0R6N72FF0}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
XdWObmml
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Targets
-
-
Target
lAKdWjhOYMA6YfG.exe
-
Size
419KB
-
MD5
fd175da54494e88a5777471577927264
-
SHA1
60398520b817355b5644f4b3dfbb147638122dd2
-
SHA256
73b0fb36b1b8763ebb06328273016c4c4c65b20d2abc3b5bb0566a6f13aa086d
-
SHA512
ceb0f4aa2a962f5e5da4a7d5f1f50ebfb59918eb1ecaded728ae0266f1ae03e37a44f3e9dc06d1ebd5c46fc4bd1098191d5598090b3769a64ec8e369019ae7c3
-
NetWire RAT payload
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Modifies Installed Components in the registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-