General
-
Target
169798f79c5f6cbcaeed9457aa0fc1b9a1bda38c01fe3bb3b75ab762f4a208e1
-
Size
823KB
-
Sample
240417-qazsyage43
-
MD5
42f53ffe5b4e846fc2b7c161a3615d27
-
SHA1
49e8e0988da90b97a9a2e503d75926a19dc797a8
-
SHA256
169798f79c5f6cbcaeed9457aa0fc1b9a1bda38c01fe3bb3b75ab762f4a208e1
-
SHA512
a61563c4b70f2051d35fc81c7e4e26f398d33eb6dcacb19c8992dd858b006a7a37e84d95e2923d4274e734791365d658a41ff190cba8d334a57c640a2f90c653
-
SSDEEP
24576:nW2Bj+149q40J2Ml9eC4vMI+4wmQLCpzLH:djr9CA+914Eb4wBLCRj
Static task
static1
Behavioral task
behavioral1
Sample
6bd3a312c22fe9fa71fb2ace3f5ec6e8cdfc06a22a0d31f6bcb5896c083cc3ac.exe
Resource
win7-20240221-en
Malware Config
Extracted
netwire
zekeriyasolek44.duckdns.org:3102
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Valentine End
-
install_path
%Windows%\Windows DataPoint\Windows Data Start.exe
-
lock_executable
false
-
mutex
Windows
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
6bd3a312c22fe9fa71fb2ace3f5ec6e8cdfc06a22a0d31f6bcb5896c083cc3ac.exe
-
Size
948KB
-
MD5
8545b3c5f346723524e6dd29bfe64083
-
SHA1
e864f9c2d68edb928217325e5c8e8cc5eb86dc3f
-
SHA256
6bd3a312c22fe9fa71fb2ace3f5ec6e8cdfc06a22a0d31f6bcb5896c083cc3ac
-
SHA512
42fe1fbdd7ac210f331fd7da891c75509a8271bda0b6816facc4f8d6220fa51525d94d48a97e824e5d5ee4949309592324ab24a9b58a579e79d66aaf7d4cf696
-
SSDEEP
24576:Iky9IISJqTZPEeqJa5E7Om5Fi5EuyuqUc+3l9:Y2eoam5FS9q
-
Detect ZGRat V1
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-