General
-
Target
0c79a79bfa7a512a9dc8f95b152877750efd1ab82a1345627142dff132b757d0
-
Size
246KB
-
Sample
220521-pcf8yaacam
-
MD5
174b8019db6302d13033c732e6630ea8
-
SHA1
7ff521c20b53b1f2b53d1379884bed7d126f7b76
-
SHA256
0c79a79bfa7a512a9dc8f95b152877750efd1ab82a1345627142dff132b757d0
-
SHA512
0fd89a9d7c4a04623cd80ce71b2fcf1af413327ad702f250939e24b5e06171a2efc0e9f48b71bdb1903d83255943731c183e41295391dd2390c3c95b46495d45
Static task
static1
Behavioral task
behavioral1
Sample
PO# 20200612-1AlbaPDF.exe
Resource
win7-20220414-en
Malware Config
Extracted
netwire
jswork.duckdns.org:7676
jswork.ddns.net:7676
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
jswork
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
NokkODEH
-
offline_keylogger
true
-
password
111aaa@@@
-
registry_autorun
false
- startup_name
-
use_mutex
true
Targets
-
-
Target
PO# 20200612-1AlbaPDF.exe
-
Size
296KB
-
MD5
93d00c69b45517418d0f60248f3fff02
-
SHA1
063d4997c2a13113f55c79c4db9f761f4c399e0b
-
SHA256
aa7433f4fd0ef15eed9c75d0e37a849909f7661b4d30063cff58879287fd2358
-
SHA512
e4d139cb3d4d11effa92c732e765a1540f39ed952e98b9dad6644ff4eb77d7b9196fd84c9d2c412127bf916c7feea2135595f27265a49a4befb8a8fa96cfc984
-
NetWire RAT payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-