General
-
Target
8DC073CC9C71F0EF0E77D8942A776886D3913D6C44D03.exe
-
Size
3.0MB
-
Sample
220904-gkxlwsbadm
-
MD5
76dcf81a67e2661ad35a3270b38f7513
-
SHA1
fa7b809286f880f938529680fe9ac15f1af4cd6c
-
SHA256
8dc073cc9c71f0ef0e77d8942a776886d3913d6c44d0348c363ba582c1d89143
-
SHA512
50e33272e6d086e13175119052fac0d614649d200ea40dcc18a6bb7702281ebaaf3135bdd5903d0efc4422122174f863cbbd49060b46a8f8a8924faf83ebbd4a
-
SSDEEP
49152:kAI+tes2jTe59++yYZSk55P/eRK+FuuI9xYJdn5tvkRo8u4Cfyqv:kAI+tx2v8AYZSkGRK0uuIozzvk0v
Static task
static1
Behavioral task
behavioral1
Sample
8DC073CC9C71F0EF0E77D8942A776886D3913D6C44D03.exe
Resource
win7-20220901-en
Malware Config
Extracted
netwire
alice2019.myftp.biz:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
TEST_4040
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
8DC073CC9C71F0EF0E77D8942A776886D3913D6C44D03.exe
-
Size
3.0MB
-
MD5
76dcf81a67e2661ad35a3270b38f7513
-
SHA1
fa7b809286f880f938529680fe9ac15f1af4cd6c
-
SHA256
8dc073cc9c71f0ef0e77d8942a776886d3913d6c44d0348c363ba582c1d89143
-
SHA512
50e33272e6d086e13175119052fac0d614649d200ea40dcc18a6bb7702281ebaaf3135bdd5903d0efc4422122174f863cbbd49060b46a8f8a8924faf83ebbd4a
-
SSDEEP
49152:kAI+tes2jTe59++yYZSk55P/eRK+FuuI9xYJdn5tvkRo8u4Cfyqv:kAI+tx2v8AYZSkGRK0uuIozzvk0v
-
NetWire RAT payload
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-