General
-
Target
2f33e743eb105ce162a713b1b21e429d.bin
-
Size
15KB
-
Sample
230223-bghexagb5y
-
MD5
48f41a707bf2b779d4805d83be01a392
-
SHA1
712b57a549030d41cdae9d3b5f80ed9dc3427278
-
SHA256
928837bed8854c87d217c31969dc8a72cadc55ee5a594860272cc68dc2f147eb
-
SHA512
70e65d6965e2f5e7fa452dd80c54fe9b4928c6263ce15430717a8ecf9bb2e58c02ce0484454665eb3a1a480a9f90440682f7648c7de05d4be34de1b8d384b107
-
SSDEEP
384:sE4IHgqMUdB5mkrYc+lkDvpWzE1ju0qly+O7eEDjp:/HkubfrilkjpWz+ju0qlynFDjp
Malware Config
Extracted
netwire
zekeriyasolek44.duckdns.org:3102
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Valentine End
-
install_path
%Windows%\Windows DataPoint\Windows Data Start.exe
-
lock_executable
false
-
mutex
Windows
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
df770aabdc39c9255b2eab82391b1246ca57f2108c670fcba0f40b7c46c7ddb7.doc
-
Size
39KB
-
MD5
2f33e743eb105ce162a713b1b21e429d
-
SHA1
ba35963190d4f31ca073682f412849970ad7019d
-
SHA256
df770aabdc39c9255b2eab82391b1246ca57f2108c670fcba0f40b7c46c7ddb7
-
SHA512
c1129baea902067a3a44bbdfb5bc8958ef67cafb6714373669da2b112feacbfff73623d34028d7678eb710b3b3479315ef2a7318ccc0454979c6d0dbe78f1c20
-
SSDEEP
768:5Fx0XaIsnPRIa4fwJMGNH2YRrenTu1HBO85sH4mY6u:5f0Xvx3EMKHFR/HBO85sYou
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-