General
-
Target
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d
-
Size
272KB
-
Sample
230403-jgh1faeh6y
-
MD5
c392e134b254a10d3007c4860ac06d95
-
SHA1
0b50a024e07b0da75e5080486e2d41634ef6a971
-
SHA256
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d
-
SHA512
3c7dbde9e79bf60de935d26de42c17cef1d81938eb2e08256e0be2f72646a21cb9daf34866bd54725c330f90fea106e10f500922de4f34135d6c187bee871a09
-
SSDEEP
6144:wcCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzcoeqqD9dIx:wcXiQfipPrb08rTj6+pGWq4x
Behavioral task
behavioral1
Sample
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d.exe
Resource
win7-20230220-en
Malware Config
Extracted
netwire
94.156.189.115:53
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Router\CheckLink.exe
-
keylogger_dir
TestLink.lnk
-
lock_executable
false
-
mutex
pHGKnPeU
-
offline_keylogger
false
-
password
1qaz2wsx.
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d
-
Size
272KB
-
MD5
c392e134b254a10d3007c4860ac06d95
-
SHA1
0b50a024e07b0da75e5080486e2d41634ef6a971
-
SHA256
0300c77c84aa4e40c3bafd3f04a4c54a2f3bf2069db60e255fe4edf3d675fe7d
-
SHA512
3c7dbde9e79bf60de935d26de42c17cef1d81938eb2e08256e0be2f72646a21cb9daf34866bd54725c330f90fea106e10f500922de4f34135d6c187bee871a09
-
SSDEEP
6144:wcCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzcoeqqD9dIx:wcXiQfipPrb08rTj6+pGWq4x
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-