General
-
Target
knr.exe
-
Size
2.3MB
-
Sample
240308-lhvfzabf92
-
MD5
cc28e40b46237ab6d5282199ef78c464
-
SHA1
0d5c820002cf93384016bd4a2628dcc5101211f4
-
SHA256
749e161661290e8a2d190b1a66469744127bc25bf46e5d0c6f2e835f4b92db18
-
SHA512
44b689ec760068e505ff4d7d708cb9653bbd1c9cdaac387f76af2bdef99349edd5ac9443125d29938bc77a5a889442c8e99091c5116599ec6f68495f962b5044
-
SSDEEP
49152:HxZKeQAhGOzL0AreYOvAw0nH63BJZoo7IdjU/rVIiP80XfM6Y7:CeQAhGOzJrGvAw0nHoBJZooP/rVIiPvE
Malware Config
Extracted
netwire
dunlop.hopto.org:2032
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
tng
-
install_path
%AppData%\tng\tng.exe
-
keylogger_dir
%AppData%\tgn\
-
lock_executable
true
-
mutex
bmnxcvbT
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
tng
-
use_mutex
true
Targets
-
-
Target
knr.exe
-
Size
2.3MB
-
MD5
cc28e40b46237ab6d5282199ef78c464
-
SHA1
0d5c820002cf93384016bd4a2628dcc5101211f4
-
SHA256
749e161661290e8a2d190b1a66469744127bc25bf46e5d0c6f2e835f4b92db18
-
SHA512
44b689ec760068e505ff4d7d708cb9653bbd1c9cdaac387f76af2bdef99349edd5ac9443125d29938bc77a5a889442c8e99091c5116599ec6f68495f962b5044
-
SSDEEP
49152:HxZKeQAhGOzL0AreYOvAw0nH63BJZoo7IdjU/rVIiP80XfM6Y7:CeQAhGOzJrGvAw0nHoBJZooP/rVIiPvE
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-