General
-
Target
c289a867c2488aba791f6a764ea901872820cc4c45bfe6210e2409c842c6f8c1.danger
-
Size
1KB
-
Sample
230117-pbk6habf5v
-
MD5
54c3aff6778177f39bd3930fe61a162e
-
SHA1
623a8471475981e9a992235ba5fcf12e99c96612
-
SHA256
c289a867c2488aba791f6a764ea901872820cc4c45bfe6210e2409c842c6f8c1
-
SHA512
40e8a0d1d7f550273bca6d6501c595277f7767bf276be3eee03bf102d41dc48ba8255df189ddeb67a74c7d97c691d015d3e3cee1710eb61f5abf34854cc03bdd
Static task
static1
Behavioral task
behavioral1
Sample
c289a867c2488aba791f6a764ea901872820cc4c45bfe6210e2409c842c6f8c1.hta
Resource
win7-20221111-en
Malware Config
Extracted
netwire
212.193.30.230:3361
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Telkomsa@1991
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
c289a867c2488aba791f6a764ea901872820cc4c45bfe6210e2409c842c6f8c1.danger
-
Size
1KB
-
MD5
54c3aff6778177f39bd3930fe61a162e
-
SHA1
623a8471475981e9a992235ba5fcf12e99c96612
-
SHA256
c289a867c2488aba791f6a764ea901872820cc4c45bfe6210e2409c842c6f8c1
-
SHA512
40e8a0d1d7f550273bca6d6501c595277f7767bf276be3eee03bf102d41dc48ba8255df189ddeb67a74c7d97c691d015d3e3cee1710eb61f5abf34854cc03bdd
-
NetWire RAT payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-