General
-
Target
538811ee7b9b53e1fdd7168db258ffa8f9dec5d1dd5cb2a0c6feb11a05e51f69
-
Size
512KB
-
Sample
221130-xvfdcsag4y
-
MD5
2c51efce39512a806e21c71b9c1f2637
-
SHA1
9d2184814a40d27ca83c87ad477d7e351b0eea39
-
SHA256
538811ee7b9b53e1fdd7168db258ffa8f9dec5d1dd5cb2a0c6feb11a05e51f69
-
SHA512
5c7cd2384faa28e47fd7961eb48de9aad00cb49eb9a2202749176ad524fc16363d7e98cd882656e7050f08cc264b429f31ea268979a201fce2a26e714e09b05a
-
SSDEEP
6144:I1l11cqTBCC8MT7ggLrRzOpsPtJqRr4VD+lrA+uRD3VDuDp9B5Ep:I1l1ZTk7MgeFzCsPG2srf+TH
Malware Config
Extracted
netwire
185.165.153.135:9539
-
activex_autorun
true
-
activex_key
{ODFPY1S0-W63U-I6AD-W6R7-QY1P260KC61N}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
true
-
startup_name
Windows Defender
-
use_mutex
false
Targets
-
-
Target
538811ee7b9b53e1fdd7168db258ffa8f9dec5d1dd5cb2a0c6feb11a05e51f69
-
Size
512KB
-
MD5
2c51efce39512a806e21c71b9c1f2637
-
SHA1
9d2184814a40d27ca83c87ad477d7e351b0eea39
-
SHA256
538811ee7b9b53e1fdd7168db258ffa8f9dec5d1dd5cb2a0c6feb11a05e51f69
-
SHA512
5c7cd2384faa28e47fd7961eb48de9aad00cb49eb9a2202749176ad524fc16363d7e98cd882656e7050f08cc264b429f31ea268979a201fce2a26e714e09b05a
-
SSDEEP
6144:I1l11cqTBCC8MT7ggLrRzOpsPtJqRr4VD+lrA+uRD3VDuDp9B5Ep:I1l1ZTk7MgeFzCsPG2srf+TH
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-