General
-
Target
dPFhxftFKA_vajay.js
-
Size
20KB
-
Sample
220906-jkb2aseebr
-
MD5
b07d5c907ab0e2d697eac1872c82060a
-
SHA1
02e24e112878e1cc580b0d93a7f167f91336d7f8
-
SHA256
b46390699324ac86769f0196065f992ca7576cff4417044bf987ae0f52829b5d
-
SHA512
d47a395ccf6f6328cade449bfa521408bd5b6f74ae42f2165023d1b1b6b7cca837004f8acd4e469f3245dac25563aa36697501195d394910feb174ed1c1d101a
-
SSDEEP
384:4bxiLjQikIhzQhXOdjeBciOdFIuiOdhEd94HFPaGnSb7qnIl9YD9p20kl:6gLkikIhMOYHOQpOmKFGb7+IUCl
Static task
static1
Behavioral task
behavioral1
Sample
dPFhxftFKA_vajay.js
Resource
win7-20220901-en
Malware Config
Extracted
vjw0rm
http://212.193.30.230:7975
Extracted
netwire
212.193.30.230:3361
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Agu
-
lock_executable
true
-
mutex
FLgBvYjx
-
offline_keylogger
false
-
password
60qHmHSy2L
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
true
Targets
-
-
Target
dPFhxftFKA_vajay.js
-
Size
20KB
-
MD5
b07d5c907ab0e2d697eac1872c82060a
-
SHA1
02e24e112878e1cc580b0d93a7f167f91336d7f8
-
SHA256
b46390699324ac86769f0196065f992ca7576cff4417044bf987ae0f52829b5d
-
SHA512
d47a395ccf6f6328cade449bfa521408bd5b6f74ae42f2165023d1b1b6b7cca837004f8acd4e469f3245dac25563aa36697501195d394910feb174ed1c1d101a
-
SSDEEP
384:4bxiLjQikIhzQhXOdjeBciOdFIuiOdhEd94HFPaGnSb7qnIl9YD9p20kl:6gLkikIhMOYHOQpOmKFGb7+IUCl
-
NetWire RAT payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-