General
-
Target
644985bd33d378f4ca9fde53e472652a6d175cc14e202e4703a265daac774a24
-
Size
127KB
-
Sample
240410-nlt1qahb7s
-
MD5
69c2af6fffd6537590c7bdba36b5823b
-
SHA1
a2f426e4d013f5400d9e86e251d54b057717f546
-
SHA256
644985bd33d378f4ca9fde53e472652a6d175cc14e202e4703a265daac774a24
-
SHA512
6ae6fcc7cd9ce0cc1c02d3fe997a9b1ba2c2eb334d99eca9584954c18961cb1ac7ca14b98b23990f02e2b5dd4290a94df5dd16a2e5d2080ba5fa6ffa7cc29c9d
-
SSDEEP
3072:Uq3E2BfBSbEsz7nCAFVNNvBGvdO5gPaEjep8Fe7Z1iO7ZbvbGV7:BRBfBSosz7nCA3NHCdXaEj7Fe7Z1iOFo
Behavioral task
behavioral1
Sample
644985bd33d378f4ca9fde53e472652a6d175cc14e202e4703a265daac774a24.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
644985bd33d378f4ca9fde53e472652a6d175cc14e202e4703a265daac774a24.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
netwire
noreply2host.duckdns.org:83
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Hostdyn.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
StLgQSxQ
-
offline_keylogger
true
-
password
Snoopy123
-
registry_autorun
true
-
startup_name
Hostdyn
-
use_mutex
true
Targets
-
-
Target
644985bd33d378f4ca9fde53e472652a6d175cc14e202e4703a265daac774a24
-
Size
127KB
-
MD5
69c2af6fffd6537590c7bdba36b5823b
-
SHA1
a2f426e4d013f5400d9e86e251d54b057717f546
-
SHA256
644985bd33d378f4ca9fde53e472652a6d175cc14e202e4703a265daac774a24
-
SHA512
6ae6fcc7cd9ce0cc1c02d3fe997a9b1ba2c2eb334d99eca9584954c18961cb1ac7ca14b98b23990f02e2b5dd4290a94df5dd16a2e5d2080ba5fa6ffa7cc29c9d
-
SSDEEP
3072:Uq3E2BfBSbEsz7nCAFVNNvBGvdO5gPaEjep8Fe7Z1iO7ZbvbGV7:BRBfBSosz7nCA3NHCdXaEj7Fe7Z1iOFo
Score10/10-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-