General
-
Target
16f098e9ce7d2c6c0575af51f9dc139d.exe
-
Size
904KB
-
Sample
220827-3e4c5sade5
-
MD5
16f098e9ce7d2c6c0575af51f9dc139d
-
SHA1
19982bb99284f8ba1d0dfb70356a36b798cf7210
-
SHA256
288719cc7ce53a7dc829be4a5d261e0c9229aca9097b72bea018fa7c9aa84000
-
SHA512
44535ec96b64d047055018661679e12632113fd3238b3492b6dcc730e1a78b4028deca62d529370e0e3b089984080d4477047bda4ac6a762da14573dcdf8125f
-
SSDEEP
12288:7aWzgMg7v3qnCiuErQohh0F4JCJ8lnyOcSyck41PNvDWpWTis+0Vz7w:OaHMv6CyrjtnyOcS5k8DWpSnw
Static task
static1
Behavioral task
behavioral1
Sample
16f098e9ce7d2c6c0575af51f9dc139d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
16f098e9ce7d2c6c0575af51f9dc139d.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
netwire
musaad1995-60255.portmap.host:60255
-
activex_autorun
false
-
activex_key
{0Q55O7T5-7PG8-1407-8Y6O-8DDRN68HAD86}
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Local\Microsoft\OneDrive\OneDrive.exe
-
keylogger_dir
OneDrive.lnk
-
lock_executable
false
-
mutex
vMnKWPIY
-
offline_keylogger
false
-
password
999000
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
16f098e9ce7d2c6c0575af51f9dc139d.exe
-
Size
904KB
-
MD5
16f098e9ce7d2c6c0575af51f9dc139d
-
SHA1
19982bb99284f8ba1d0dfb70356a36b798cf7210
-
SHA256
288719cc7ce53a7dc829be4a5d261e0c9229aca9097b72bea018fa7c9aa84000
-
SHA512
44535ec96b64d047055018661679e12632113fd3238b3492b6dcc730e1a78b4028deca62d529370e0e3b089984080d4477047bda4ac6a762da14573dcdf8125f
-
SSDEEP
12288:7aWzgMg7v3qnCiuErQohh0F4JCJ8lnyOcSyck41PNvDWpWTis+0Vz7w:OaHMv6CyrjtnyOcS5k8DWpSnw
Score10/10-
NetWire RAT payload
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-