General
-
Target
305013b1a63e379f6599d1fd6751b6101a34727cd3d98cab279c80e590ce9292
-
Size
61KB
-
Sample
240417-qbcpssaa4z
-
MD5
b1d4c775078a625ad9792a9a529ce556
-
SHA1
a621eb11dfade110e06a07d35fdf06dd3d37212f
-
SHA256
305013b1a63e379f6599d1fd6751b6101a34727cd3d98cab279c80e590ce9292
-
SHA512
de3d7f31a14e18cf70831477a7efc3fd60eea30f8678d043a23c5b860216b3aa677237eba2f8335d42aa914e484132b6682a6a60f37b78dd111a2955ac97c2c1
-
SSDEEP
1536:njhBmPdv5j78eQjRuXOb9mVjWoDpcEPpK1/IgoUkAOXAoY:jhB8dBHPJscVvDpcXwprAOfY
Behavioral task
behavioral1
Sample
20a7088411ad98c4dd710ec1913d464e374b28d4873c26a0dcc2910e486b9323.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
20a7088411ad98c4dd710ec1913d464e374b28d4873c26a0dcc2910e486b9323.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
netwire
fucktoto.duckdns.org:3369
-
activex_autorun
true
-
activex_key
{4KUJJ476-38ES-RCMH-QGW0-22030L368G76}
-
copy_executable
true
-
delete_original
false
-
host_id
blower
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
gbam1234
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
false
Targets
-
-
Target
20a7088411ad98c4dd710ec1913d464e374b28d4873c26a0dcc2910e486b9323.exe
-
Size
148KB
-
MD5
21f0006a914bac1bcca71c4167e65585
-
SHA1
d33e3d8053a8068a1de57a6cfa54bde59c6761d7
-
SHA256
20a7088411ad98c4dd710ec1913d464e374b28d4873c26a0dcc2910e486b9323
-
SHA512
f84be9a43a136374b88d39ffaa263fa0bb2ef50c639ff2b649aec64f6ba9e4cc64860c99d3565c93662a17209df62200ef5b1b9309554ea643e18b31543f428c
-
SSDEEP
3072:ROzIy5XGViztldWl88Yed2DQuIAQvQ+d0aY1DLARX:Ro2ViztvWlvd2UuIAQvQ+yFVLAR
Score10/10-
NetWire RAT payload
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-