General
-
Target
F22BF2BD431D6E2B93C8485C99537383FE4B775C70CA5.exe
-
Size
620KB
-
Sample
230206-2zh29sbe5v
-
MD5
bebb241c63e3f02435250a922e4a11ea
-
SHA1
1677b2321633d18a997f526cb8b9b623f1993822
-
SHA256
f22bf2bd431d6e2b93c8485c99537383fe4b775c70ca5633ffaf702fde170b7f
-
SHA512
e266cea313d1d29e46644e7de31d3167919793c65b60f7c38a1e05cc80c83dd2554adeeb1462b3f9a47ddd69ecc49e9a78997a9e2768dc6a0f602f4bf0fad58e
-
SSDEEP
12288:gpmhvaV/QmkiLdEkKpFB1Gh7iRjACyALvuhj:Fv0/QxqzKOOYA4
Static task
static1
Behavioral task
behavioral1
Sample
F22BF2BD431D6E2B93C8485C99537383FE4B775C70CA5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
F22BF2BD431D6E2B93C8485C99537383FE4B775C70CA5.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
netwire
ahmed82.duckdns.org:31220
-
activex_autorun
true
-
activex_key
{MQ7E162C-G40B-POGC-BR10-W1R3U0M04M64}
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-Nov%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
false
Targets
-
-
Target
F22BF2BD431D6E2B93C8485C99537383FE4B775C70CA5.exe
-
Size
620KB
-
MD5
bebb241c63e3f02435250a922e4a11ea
-
SHA1
1677b2321633d18a997f526cb8b9b623f1993822
-
SHA256
f22bf2bd431d6e2b93c8485c99537383fe4b775c70ca5633ffaf702fde170b7f
-
SHA512
e266cea313d1d29e46644e7de31d3167919793c65b60f7c38a1e05cc80c83dd2554adeeb1462b3f9a47ddd69ecc49e9a78997a9e2768dc6a0f602f4bf0fad58e
-
SSDEEP
12288:gpmhvaV/QmkiLdEkKpFB1Gh7iRjACyALvuhj:Fv0/QxqzKOOYA4
Score10/10-
NetWire RAT payload
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-