General
-
Target
cb8689a8c6988aa80c7a79c6353158eb
-
Size
4.3MB
-
Sample
240315-qpfnlsbe29
-
MD5
cb8689a8c6988aa80c7a79c6353158eb
-
SHA1
677d9c639f10a6664c33006c94ef5ce2191d762f
-
SHA256
c58771ee917e04657e83a23e53305b8c311a143791bf16e8542fb692665c5047
-
SHA512
d15a3324eaefe93070b54584cbb22eaea1a5d364e2db8c651cd47c983ccd63db551209cbc5cee98b67dd59b366a6c85ab1cc10ad68b5fc4e0373d849017872d0
-
SSDEEP
98304:s2cPK8eAz79BY9t7SLs2pYnKwr6HReEYPiHxwKAqkPq:3CKmBYj7P2KK2qbYKHqKAdi
Malware Config
Extracted
netwire
clients.enigmasolutions.xyz:54573
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
Cleint-%Rand%
-
install_path
%AppData%\Microsoft\Crypto\fers.exe
-
keylogger_dir
%AppData%\msr\
-
lock_executable
false
-
offline_keylogger
true
-
password
\tx>N(6H`Om2k/cWJBp,""bUbAd1-0Mg
-
registry_autorun
true
-
startup_name
fers
-
use_mutex
false
Targets
-
-
Target
cb8689a8c6988aa80c7a79c6353158eb
-
Size
4.3MB
-
MD5
cb8689a8c6988aa80c7a79c6353158eb
-
SHA1
677d9c639f10a6664c33006c94ef5ce2191d762f
-
SHA256
c58771ee917e04657e83a23e53305b8c311a143791bf16e8542fb692665c5047
-
SHA512
d15a3324eaefe93070b54584cbb22eaea1a5d364e2db8c651cd47c983ccd63db551209cbc5cee98b67dd59b366a6c85ab1cc10ad68b5fc4e0373d849017872d0
-
SSDEEP
98304:s2cPK8eAz79BY9t7SLs2pYnKwr6HReEYPiHxwKAqkPq:3CKmBYj7P2KK2qbYKHqKAdi
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-