General
-
Target
2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555
-
Size
1.7MB
-
Sample
230129-r7251abe83
-
MD5
572deaae035dc45bfde695cf2c4eca9c
-
SHA1
23ac65e7d81d1937f3637e249d8daf03ee820bb4
-
SHA256
2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555
-
SHA512
0c8a7a75893af6413da2034de0b901476c9db94ca50f2ea757f77787b7816a9f53c71b5af6c527670ad85c46b892e244c623dc57096b3ebc76ccd497a8ef1d4d
-
SSDEEP
12288:ln4oojsadZIcSZzd9xU9DHhilbu300g6LUmhhVHq5snzVXvePiupREJXmBe8kkkS:eoOdScazTxRCEyLUm7HXvczZDwTs1
Static task
static1
Behavioral task
behavioral1
Sample
2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe
Resource
win7-20221111-en
Malware Config
Extracted
netwire
divinevilla.hopto.org:3680
divinevilla9.duckdns.org:3680
-
activex_autorun
true
-
activex_key
{4U0P1HV1-08W6-Q5LN-WDDU-VOF57B3X5Q6B}
-
copy_executable
true
-
delete_original
false
-
host_id
2019BLESSINGS
-
install_path
%AppData%\Install\xpsz.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
MkPFjgDl
-
offline_keylogger
true
-
password
teamoluwa1
-
registry_autorun
true
-
startup_name
vixx
-
use_mutex
true
Targets
-
-
Target
2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555
-
Size
1.7MB
-
MD5
572deaae035dc45bfde695cf2c4eca9c
-
SHA1
23ac65e7d81d1937f3637e249d8daf03ee820bb4
-
SHA256
2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555
-
SHA512
0c8a7a75893af6413da2034de0b901476c9db94ca50f2ea757f77787b7816a9f53c71b5af6c527670ad85c46b892e244c623dc57096b3ebc76ccd497a8ef1d4d
-
SSDEEP
12288:ln4oojsadZIcSZzd9xU9DHhilbu300g6LUmhhVHq5snzVXvePiupREJXmBe8kkkS:eoOdScazTxRCEyLUm7HXvczZDwTs1
-
NetWire RAT payload
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-