General
-
Target
e65a63374804040e16bbc0027f16f1863e292071f80883915e2521ea7d2c13a1
-
Size
1.3MB
-
Sample
230129-x9jdkacd7y
-
MD5
961dddaec1b5d6c68d4f8513af5da04c
-
SHA1
7ca4b9dbfdc0c2c443479648645b739434c484a8
-
SHA256
e65a63374804040e16bbc0027f16f1863e292071f80883915e2521ea7d2c13a1
-
SHA512
1a94af7539e3f8848b6d10f1597c065b8cc8b68c6ce607b224ec0114aac625118f361c8dcffa826ea9ce16cc64e66eb0c95aab1059315d57c477ad8af74929c1
-
SSDEEP
24576:dVJn/G7I/BagGiOhE+cxWISFJ62I5yxZDNtRwhzliUQVI6rNYsYusC7:7J+qFOhE+WSLFKStRwhxiMKAuz7
Static task
static1
Behavioral task
behavioral1
Sample
e65a63374804040e16bbc0027f16f1863e292071f80883915e2521ea7d2c13a1.exe
Resource
win7-20220812-en
Malware Config
Extracted
netwire
bots.xdecryptedx.life:4528
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
sTvcsXlx
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
e65a63374804040e16bbc0027f16f1863e292071f80883915e2521ea7d2c13a1
-
Size
1.3MB
-
MD5
961dddaec1b5d6c68d4f8513af5da04c
-
SHA1
7ca4b9dbfdc0c2c443479648645b739434c484a8
-
SHA256
e65a63374804040e16bbc0027f16f1863e292071f80883915e2521ea7d2c13a1
-
SHA512
1a94af7539e3f8848b6d10f1597c065b8cc8b68c6ce607b224ec0114aac625118f361c8dcffa826ea9ce16cc64e66eb0c95aab1059315d57c477ad8af74929c1
-
SSDEEP
24576:dVJn/G7I/BagGiOhE+cxWISFJ62I5yxZDNtRwhzliUQVI6rNYsYusC7:7J+qFOhE+WSLFKStRwhxiMKAuz7
-
NetWire RAT payload
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-