General
-
Target
010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
-
Size
4.1MB
-
Sample
220717-bf4xhshge8
-
MD5
982e96ee0c8fac7fec39c44a55530f4b
-
SHA1
1e1a1a19b74555371f8194d6eb2a6cc24b907c81
-
SHA256
010299823d93a9793d8719f39876a45af3a9ad4fafbcda6c3ed31a94c9d4149a
-
SHA512
df2c99f48bc1c4a8815f0de6fa343248679524c3c1569e1521e8ffe4c4ede6db126b117dc44b3bcb2f888259d723c55ccd6e1970ea4c85a5be70361d2fd29a1b
Malware Config
Extracted
netwire
clients.enigmasolutions.xyz:54573
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
Cleint-%Rand%
-
install_path
%AppData%\Microsoft\MMC\ruj.exe
-
keylogger_dir
%AppData%\msr\
-
lock_executable
false
-
offline_keylogger
true
-
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
-
registry_autorun
true
-
startup_name
ruj
-
use_mutex
false
Targets
-
-
Target
010299823D93A9793D8719F39876A45AF3A9AD4FAFBCD.exe
-
Size
4.1MB
-
MD5
982e96ee0c8fac7fec39c44a55530f4b
-
SHA1
1e1a1a19b74555371f8194d6eb2a6cc24b907c81
-
SHA256
010299823d93a9793d8719f39876a45af3a9ad4fafbcda6c3ed31a94c9d4149a
-
SHA512
df2c99f48bc1c4a8815f0de6fa343248679524c3c1569e1521e8ffe4c4ede6db126b117dc44b3bcb2f888259d723c55ccd6e1970ea4c85a5be70361d2fd29a1b
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-