General
-
Target
34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5
-
Size
453KB
-
Sample
230403-b9d8yscb77
-
MD5
a7c46dcd7583f9b2fdca60638393fe3d
-
SHA1
9d095498c250a1c8b8c1b9b7064d7be934b0ac1a
-
SHA256
34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5
-
SHA512
7e588fd29d927c232efcf1ab7334e0ee663c6b67bbd819823cb093d9787ceb5fbadd56a11145107bafe120889d4c1acc425e7ca2cf42fa1b5cb01437e25cda47
-
SSDEEP
12288:yhKODnJnFSRyDy/J9JLtpx+/tADdzw/aFo:yoOHSSaPJh+/tADdI
Static task
static1
Behavioral task
behavioral1
Sample
34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
netwire
haija.mine.nu:1338
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Marketplace
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
qays1122
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5
-
Size
453KB
-
MD5
a7c46dcd7583f9b2fdca60638393fe3d
-
SHA1
9d095498c250a1c8b8c1b9b7064d7be934b0ac1a
-
SHA256
34104d412d856c9ee60e6db6cce0fbb03c766988ab6e733a867eeac26cd9bad5
-
SHA512
7e588fd29d927c232efcf1ab7334e0ee663c6b67bbd819823cb093d9787ceb5fbadd56a11145107bafe120889d4c1acc425e7ca2cf42fa1b5cb01437e25cda47
-
SSDEEP
12288:yhKODnJnFSRyDy/J9JLtpx+/tADdzw/aFo:yoOHSSaPJh+/tADdI
Score10/10-
NetWire RAT payload
-
Core1 .NET packer
Detects packer/loader used by .NET malware.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-