General
-
Target
Confidential.exe
-
Size
727KB
-
Sample
220927-ksq1vsdaf3
-
MD5
77d64026e7224a2243bcb023766111e6
-
SHA1
0124b3fc954340b6857c96b37e89e9eca64da43a
-
SHA256
b002c64f7d0ff0a952b72f31609e683f17bb23313417f6639afdec47d9187b25
-
SHA512
aa233f2db25af667574de2de6870cd6aa259b62700f604bf0478dac442a358a143853c8b8ad0c913f91b3b3e05662a3c9a7216cd1ca051fd0c20e5fbba40a0b8
-
SSDEEP
12288:voxpAdRDmK6S8IB++Ll22jqZEp5E3qjJ5nl0+9MK:Z56SRB++LVMy1jrZe
Malware Config
Extracted
netwire
104.222.188.99:3360
zonedx.ddns.net:3360
zonedx.ddns.net:3363
104.222.188.99:3363
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password9090
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
Confidential.exe
-
Size
727KB
-
MD5
77d64026e7224a2243bcb023766111e6
-
SHA1
0124b3fc954340b6857c96b37e89e9eca64da43a
-
SHA256
b002c64f7d0ff0a952b72f31609e683f17bb23313417f6639afdec47d9187b25
-
SHA512
aa233f2db25af667574de2de6870cd6aa259b62700f604bf0478dac442a358a143853c8b8ad0c913f91b3b3e05662a3c9a7216cd1ca051fd0c20e5fbba40a0b8
-
SSDEEP
12288:voxpAdRDmK6S8IB++Ll22jqZEp5E3qjJ5nl0+9MK:Z56SRB++LVMy1jrZe
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-