General
-
Target
PO0089.xll
-
Size
882KB
-
Sample
220707-f9e8gadggk
-
MD5
c25d7e6c1542e36fa2e9965e898af854
-
SHA1
dcfeba2eb15c25450ab6ed1feebd74716b5a679d
-
SHA256
3421fab2e0c172169fd91d427cc5e29e944e74fa2805eaf2783ad8bdf6092afb
-
SHA512
2a50a5eb3b88f6dbdc6def89e946b2682a5116f242de70ae9c2b75e4b0237d4b97e898f8883bce47af095581387bc80d0832cdc0ac6c8cdb7cb6d746bbdcbb8e
Malware Config
Extracted
Extracted
netwire
194.5.98.126:3378
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Pass@2023
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
PO0089.xll
-
Size
882KB
-
MD5
c25d7e6c1542e36fa2e9965e898af854
-
SHA1
dcfeba2eb15c25450ab6ed1feebd74716b5a679d
-
SHA256
3421fab2e0c172169fd91d427cc5e29e944e74fa2805eaf2783ad8bdf6092afb
-
SHA512
2a50a5eb3b88f6dbdc6def89e946b2682a5116f242de70ae9c2b75e4b0237d4b97e898f8883bce47af095581387bc80d0832cdc0ac6c8cdb7cb6d746bbdcbb8e
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-