General
-
Target
0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe
-
Size
1.8MB
-
Sample
220625-waj1dadhek
-
MD5
74014427b135871d2597e75e67c57200
-
SHA1
6a69db7d0e6eff14400b497da1a3a38f3183e753
-
SHA256
0d68c0b7843fa97aa4a8820ee1c7a8de70d2f1b36d1150a3af9dfd19bb70e888
-
SHA512
e5d6b0aad5fe75104b9d0b830972a7b46d22f06cb7b7d611c0e3055cb81209647557342e6a9422b1a14bc73fa6914bae4fbca0a748a8389c89d5d20a2bcbd438
Malware Config
Extracted
netwire
alex419.duckdns.org:60622
178.239.21.185:60622
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
GRACE101
-
install_path
%AppData%\Install\file.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
NwgwuGDR
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
Abobex
-
use_mutex
true
Targets
-
-
Target
0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe
-
Size
1.8MB
-
MD5
74014427b135871d2597e75e67c57200
-
SHA1
6a69db7d0e6eff14400b497da1a3a38f3183e753
-
SHA256
0d68c0b7843fa97aa4a8820ee1c7a8de70d2f1b36d1150a3af9dfd19bb70e888
-
SHA512
e5d6b0aad5fe75104b9d0b830972a7b46d22f06cb7b7d611c0e3055cb81209647557342e6a9422b1a14bc73fa6914bae4fbca0a748a8389c89d5d20a2bcbd438
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-