General
-
Target
CTBrowserSetup_IzCDcU.vbs
-
Size
2.6MB
-
Sample
230219-267dfagc8y
-
MD5
cd70c03b7ce70dc04864968bd50b6c46
-
SHA1
83ec5661a1d3290b7dc23021794d0bb55dd09596
-
SHA256
e9bc9118078c9b521c97543e9b0a13d63c8d09f5289a9892efc40cb64a37cc91
-
SHA512
a3ede6d7a465708629dfcfdc2d1bebaa5a3359b7e38b0cf1df94587d11c105ed16b18f08a97876384922a96ab72cae18bcd9cd27c82a3921789996f3db959546
-
SSDEEP
6144:T5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5ktBJy0T0T0TH:tZ1
Static task
static1
Behavioral task
behavioral1
Sample
CTBrowserSetup_IzCDcU.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
CTBrowserSetup_IzCDcU.vbs
Resource
win10v2004-20220812-en
Malware Config
Extracted
https://quickcheckx.github.io/quickme/Milieu.snp
Extracted
netwire
104.168.234.121:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
NewCatch-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
CTBrowserSetup_IzCDcU.vbs
-
Size
2.6MB
-
MD5
cd70c03b7ce70dc04864968bd50b6c46
-
SHA1
83ec5661a1d3290b7dc23021794d0bb55dd09596
-
SHA256
e9bc9118078c9b521c97543e9b0a13d63c8d09f5289a9892efc40cb64a37cc91
-
SHA512
a3ede6d7a465708629dfcfdc2d1bebaa5a3359b7e38b0cf1df94587d11c105ed16b18f08a97876384922a96ab72cae18bcd9cd27c82a3921789996f3db959546
-
SSDEEP
6144:T5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5s5ktBJy0T0T0TH:tZ1
-
NetWire RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-