General
-
Target
3678270672216e0a460c4a836bd66b1f373fc336f443d8226154b5f5bd095296
-
Size
4.4MB
-
Sample
221020-bjlkcagba2
-
MD5
07ac1cd6e1c580500c266e2d83efc2f0
-
SHA1
2980487d0e3c87cda631eedcf4c3e6aaaf717eda
-
SHA256
3678270672216e0a460c4a836bd66b1f373fc336f443d8226154b5f5bd095296
-
SHA512
2685933448c2c304ba330f057807a87d9faeb1dabe3481020930ca4e0bf089070cf7effb22770e667aded214ed37c7c09d2cf91129b9af4c3a68d09ef9cf915f
-
SSDEEP
98304:K2cPK8Qh71GAnlUxvawmWybJQAlbM0azCWtg04c5b0:lCKhhZGHCwBx2bazjtf5b0
Static task
static1
Behavioral task
behavioral1
Sample
3678270672216e0a460c4a836bd66b1f373fc336f443d8226154b5f5bd095296.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3678270672216e0a460c4a836bd66b1f373fc336f443d8226154b5f5bd095296.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
netwire
nl-amsterdam04.crypticvpn.com:8067
ru-moscow02.crypticvpn.com:8022
de-frankfurt03.crypticvpn.com:8022
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Zboub-%Rand%
-
keylogger_dir
C:\Users\Admin\AppData\Roaming\Roaming\Microsoft\MMC\Logs\
-
lock_executable
false
-
mutex
oLTJRPxq
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
3678270672216e0a460c4a836bd66b1f373fc336f443d8226154b5f5bd095296
-
Size
4.4MB
-
MD5
07ac1cd6e1c580500c266e2d83efc2f0
-
SHA1
2980487d0e3c87cda631eedcf4c3e6aaaf717eda
-
SHA256
3678270672216e0a460c4a836bd66b1f373fc336f443d8226154b5f5bd095296
-
SHA512
2685933448c2c304ba330f057807a87d9faeb1dabe3481020930ca4e0bf089070cf7effb22770e667aded214ed37c7c09d2cf91129b9af4c3a68d09ef9cf915f
-
SSDEEP
98304:K2cPK8Qh71GAnlUxvawmWybJQAlbM0azCWtg04c5b0:lCKhhZGHCwBx2bazjtf5b0
-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-