General
-
Target
TEKLİF İSTEME FORMU.doc
-
Size
37KB
-
Sample
230222-mzjw8scg2s
-
MD5
ac61d636809fd4617b6fa6b5a099a38c
-
SHA1
9e3bb29de5667a90fe0df822ec27a0f4a6a012ed
-
SHA256
1fd6569eae2820afd99e6ba741c6f4c69f61004e617e9e0cccf54c4df93d6865
-
SHA512
1a18206c3b417993381c7b8bc8b4fe538022744c2890fb247c6c56b1726d22d8ec0f170197b4c925bd84ab507277067e95bae1b6403f5f371f8b9508f80c471a
-
SSDEEP
768:xFx0XaIsnPRIa4fwJMcfBPts3AjTySc2sj345ddMu8pcn:xf0Xvx3EMcfBPtmAwboY96n
Malware Config
Extracted
netwire
zekeriyasolek44.duckdns.org:3102
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Valentine End
-
install_path
%Windows%\Windows DataPoint\Windows Data Start.exe
-
lock_executable
false
-
mutex
Windows
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
TEKLİF İSTEME FORMU.doc
-
Size
37KB
-
MD5
ac61d636809fd4617b6fa6b5a099a38c
-
SHA1
9e3bb29de5667a90fe0df822ec27a0f4a6a012ed
-
SHA256
1fd6569eae2820afd99e6ba741c6f4c69f61004e617e9e0cccf54c4df93d6865
-
SHA512
1a18206c3b417993381c7b8bc8b4fe538022744c2890fb247c6c56b1726d22d8ec0f170197b4c925bd84ab507277067e95bae1b6403f5f371f8b9508f80c471a
-
SSDEEP
768:xFx0XaIsnPRIa4fwJMcfBPts3AjTySc2sj345ddMu8pcn:xf0Xvx3EMcfBPtmAwboY96n
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-