General
-
Target
9852b6d615cc6d7e5e61044d3cb167bff5bcc528ba0dcb6de4e39de6105d5e42
-
Size
296KB
-
Sample
221023-nz9nbsaah4
-
MD5
2680530026f1eae5f230636b6d4d6ef9
-
SHA1
3be7cfcdbd6318fa79809138fac13eaa074f81fd
-
SHA256
9852b6d615cc6d7e5e61044d3cb167bff5bcc528ba0dcb6de4e39de6105d5e42
-
SHA512
0ab0bd00d80d02088fdb8cbeaa645bd34fc6d4875bc8fc0513075b969db3644878b9570165a4f7d58a2cb61521590f758400c5ec5173922aab3a6e8bca980c68
-
SSDEEP
6144:E0fJ35AAkTIoVOVP8YWNhQ9wDPRrz7sn1k2Q8ik1qdMgZkdz8ne54XSFNMVZs:E0fJ352gZ8JNySDPx+22F1OhQ8e54YMI
Malware Config
Extracted
netwire
franrnar.com.tw:1009
-
activex_autorun
false
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Microsoft\windows\explorer.exe
-
keylogger_dir
%AppData%\Microsoft\windows\Logs\
-
lock_executable
true
-
mutex
LqICFQGC
-
offline_keylogger
true
-
password
GetTheFuckOFf
-
registry_autorun
true
-
startup_name
iexplorer
-
use_mutex
true
Targets
-
-
Target
Product_Order_Quotation_X1208.exe
-
Size
322KB
-
MD5
709714b4261957287537f7f78e6dbdfb
-
SHA1
82f2efbbf0c86913932567caf70ae6f66665bec9
-
SHA256
72c3b0ef24972aa0269b5084d27257fa83229ddca82ae020de2194e9ed7cbb0f
-
SHA512
e969eba70b15e3b346931a5f812f38c20be028b30cc2512d1410d2cbdabd0664d3e9d3a56b6cd83f4e0b88ac66cb5326802d2c0a831deb138ee64b8586141601
-
SSDEEP
6144:my1lpFvAAkTIo9OVP8YW5hQ9wDdRrz7sn1q0eop5MvuMpGxByK/tdA8F8Tz:mAn2oZ8J5ySDdx+sySvfi0GTA8F8Tz
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-