General
-
Target
4dd4ba71746626e0d94c7300d9befb90a1c2eb6a2ff1f67bd2d1b7974ae0d82a
-
Size
303KB
-
Sample
240424-1ejydsab55
-
MD5
5aa1a891860da0f58c125167334dcd27
-
SHA1
0c68a28710799bf8d7a84b4c90dd33ee0c76a87f
-
SHA256
4dd4ba71746626e0d94c7300d9befb90a1c2eb6a2ff1f67bd2d1b7974ae0d82a
-
SHA512
fd764453d243372e0091e5d50cd998d5f3c037960c32d27d2b25fdc455ddec139ba5be1c114a150c61b7d429b6c93d5161ced33a811df0bbbf7ce498321ddd0e
-
SSDEEP
6144:sI7YWQnvZoDOUMHLuh93d3/2qXXtFGmbwLN+gZgxUGUiL1Lcg:xVsdHY9NJXGmbl/zU2
Static task
static1
Behavioral task
behavioral1
Sample
4dd4ba71746626e0d94c7300d9befb90a1c2eb6a2ff1f67bd2d1b7974ae0d82a.exe
Resource
win7-20240215-en
Malware Config
Extracted
netwire
ml.warzonedns.com:4772
194.5.98.183:4772
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
fvbrHCbc
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
4dd4ba71746626e0d94c7300d9befb90a1c2eb6a2ff1f67bd2d1b7974ae0d82a
-
Size
303KB
-
MD5
5aa1a891860da0f58c125167334dcd27
-
SHA1
0c68a28710799bf8d7a84b4c90dd33ee0c76a87f
-
SHA256
4dd4ba71746626e0d94c7300d9befb90a1c2eb6a2ff1f67bd2d1b7974ae0d82a
-
SHA512
fd764453d243372e0091e5d50cd998d5f3c037960c32d27d2b25fdc455ddec139ba5be1c114a150c61b7d429b6c93d5161ced33a811df0bbbf7ce498321ddd0e
-
SSDEEP
6144:sI7YWQnvZoDOUMHLuh93d3/2qXXtFGmbwLN+gZgxUGUiL1Lcg:xVsdHY9NJXGmbl/zU2
-
NetWire RAT payload
-
Detects executables packed with Agile.NET / CliSecure
-
Detects executables packed with SmartAssembly
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-