General
-
Target
8545b3c5f346723524e6dd29bfe64083.exe
-
Size
948KB
-
Sample
230222-m99kmsch2s
-
MD5
8545b3c5f346723524e6dd29bfe64083
-
SHA1
e864f9c2d68edb928217325e5c8e8cc5eb86dc3f
-
SHA256
6bd3a312c22fe9fa71fb2ace3f5ec6e8cdfc06a22a0d31f6bcb5896c083cc3ac
-
SHA512
42fe1fbdd7ac210f331fd7da891c75509a8271bda0b6816facc4f8d6220fa51525d94d48a97e824e5d5ee4949309592324ab24a9b58a579e79d66aaf7d4cf696
-
SSDEEP
24576:Iky9IISJqTZPEeqJa5E7Om5Fi5EuyuqUc+3l9:Y2eoam5FS9q
Static task
static1
Behavioral task
behavioral1
Sample
8545b3c5f346723524e6dd29bfe64083.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
8545b3c5f346723524e6dd29bfe64083.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
netwire
zekeriyasolek44.duckdns.org:3102
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Valentine End
-
install_path
%Windows%\Windows DataPoint\Windows Data Start.exe
-
lock_executable
false
-
mutex
Windows
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
8545b3c5f346723524e6dd29bfe64083.exe
-
Size
948KB
-
MD5
8545b3c5f346723524e6dd29bfe64083
-
SHA1
e864f9c2d68edb928217325e5c8e8cc5eb86dc3f
-
SHA256
6bd3a312c22fe9fa71fb2ace3f5ec6e8cdfc06a22a0d31f6bcb5896c083cc3ac
-
SHA512
42fe1fbdd7ac210f331fd7da891c75509a8271bda0b6816facc4f8d6220fa51525d94d48a97e824e5d5ee4949309592324ab24a9b58a579e79d66aaf7d4cf696
-
SSDEEP
24576:Iky9IISJqTZPEeqJa5E7Om5Fi5EuyuqUc+3l9:Y2eoam5FS9q
Score10/10-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-