General
-
Target
91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.zip
-
Size
371KB
-
Sample
230113-wmkgnsbc42
-
MD5
446c6dadb9c472a57c9a54b632c70b98
-
SHA1
3665dd29d04df61b3781662293a3fcf7c40f5ffd
-
SHA256
51a26615359fa83ea8687290e2141f753b6969e1905c5aa78bf2c1708904806c
-
SHA512
fa0ae9f01ff5b51e4c45fd2fcce628449f749091f43e1fddeadd73318581ce187ccb9f60279b2c5a6d3e08d16d0d98a74d5441542247435f840e9710d925914c
-
SSDEEP
6144:sBqVfX21kqzxZ26pUotN0haxv15MuxWyuMCIJuwN9bK3AJsZz0+ZO6DvNurrhHxF:s+Akq9ZHUPhax3xWyDme9WSU0IIFHf
Static task
static1
Behavioral task
behavioral1
Sample
91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac.exe
Resource
win7-20220812-es
Malware Config
Extracted
netwire
qualitytrade12.hopto.org:3194
-
activex_autorun
true
-
activex_key
{KEW5251T-4080-L0OG-0866-B1E0A86Y18A5}
-
copy_executable
true
-
delete_original
false
-
host_id
NEWCLIENT
-
install_path
%AppData%\Install\excel.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
RPlPfmOq
-
offline_keylogger
true
-
password
master45
-
registry_autorun
true
-
startup_name
Adobe
-
use_mutex
true
Targets
-
-
Target
91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac
-
Size
420KB
-
MD5
1517814c4d44cc632abb52d2d6307f15
-
SHA1
9ee0404b76fe5bda2692f049bb9fc78e17240708
-
SHA256
91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac
-
SHA512
34e0804548803b4ece092061dc287078f5853b9d73d7759b403fdc5bbc4141ddad2b146c06edf8dbaa5ce055c62e1106e91df05a7866402f47be6f28acddaf7a
-
SSDEEP
6144:QjbeiyDBJNEeHfZEW6GH5W288L5ABAYRb+m112Mppeaibjz90645wZUS+:Qu1PzgGH5W28oANn112tLOE+
-
NetWire RAT payload
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-