General
-
Target
13e6b5ab93ccd4e3eb414c9f0989656808784a630c7eebdcdb9b75bc0a4d2a91
-
Size
245KB
-
Sample
221123-183btshc43
-
MD5
b8afd75a37a61d1820e2dd2875209cf9
-
SHA1
71bd8ae91bf3380922f9edde6438db8a9771c6f3
-
SHA256
13e6b5ab93ccd4e3eb414c9f0989656808784a630c7eebdcdb9b75bc0a4d2a91
-
SHA512
e03849135d8382c06b6dc82ce97d213eae7ff51571442ac9f877940e8f986465a532dd6e338f0287e5ad5a2f6ba75b230094f2e0721416275ccc9d7cc049f1f8
-
SSDEEP
6144:ZFKgLQyqigJCThm7MaTYFFwOqiiJvPes9rg:ZFt/qigJn7NkFmtvGsO
Static task
static1
Malware Config
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
185.246.221.126/i4kvjd3xc/index.php
Extracted
netwire
alice2019.myftp.biz:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Fs_Spread_0001
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
13e6b5ab93ccd4e3eb414c9f0989656808784a630c7eebdcdb9b75bc0a4d2a91
-
Size
245KB
-
MD5
b8afd75a37a61d1820e2dd2875209cf9
-
SHA1
71bd8ae91bf3380922f9edde6438db8a9771c6f3
-
SHA256
13e6b5ab93ccd4e3eb414c9f0989656808784a630c7eebdcdb9b75bc0a4d2a91
-
SHA512
e03849135d8382c06b6dc82ce97d213eae7ff51571442ac9f877940e8f986465a532dd6e338f0287e5ad5a2f6ba75b230094f2e0721416275ccc9d7cc049f1f8
-
SSDEEP
6144:ZFKgLQyqigJCThm7MaTYFFwOqiiJvPes9rg:ZFt/qigJn7NkFmtvGsO
-
NetWire RAT payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-