General
-
Target
D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe
-
Size
432KB
-
Sample
230426-b1jgbaec47
-
MD5
9b07a0fdaa64049e857b3982eeb3a575
-
SHA1
63d7d2eefd78ee4736243c8e32c305366603c579
-
SHA256
d8d4a25dd484e96413ff9530e93621af5c53e96cf2b0435968f5fc72dad85d9b
-
SHA512
49db3c66ee829534937ba0cc8f62f568cc04891b141e402d5c2c7961335efbd453f33bc57b218f9cf609b4a665df4b31810d4215d6e994c03934264b184c770a
-
SSDEEP
6144:SPn3xY3d6ND9D/S4mAC09X1Qd6pOzWqGLDUz7j42W3Llin:SLNoS1Y6pq1AUvjW3Un
Static task
static1
Behavioral task
behavioral1
Sample
D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
netwire
forgiveme.workisboring.com:3360
-
activex_autorun
true
-
activex_key
{TN38RH36-U670-03U7-57DE-24XMTWQBHGH1}
-
copy_executable
true
-
delete_original
false
-
host_id
bendal
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
centosffjk
-
use_mutex
false
Targets
-
-
Target
D8D4A25DD484E96413FF9530E93621AF5C53E96CF2B04.exe
-
Size
432KB
-
MD5
9b07a0fdaa64049e857b3982eeb3a575
-
SHA1
63d7d2eefd78ee4736243c8e32c305366603c579
-
SHA256
d8d4a25dd484e96413ff9530e93621af5c53e96cf2b0435968f5fc72dad85d9b
-
SHA512
49db3c66ee829534937ba0cc8f62f568cc04891b141e402d5c2c7961335efbd453f33bc57b218f9cf609b4a665df4b31810d4215d6e994c03934264b184c770a
-
SSDEEP
6144:SPn3xY3d6ND9D/S4mAC09X1Qd6pOzWqGLDUz7j42W3Llin:SLNoS1Y6pq1AUvjW3Un
Score10/10-
NetWire RAT payload
-
Modifies Installed Components in the registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-