General
-
Target
cedc7e792cca858e878e0275a8d94730N.exe
-
Size
160KB
-
Sample
240904-g89w5axcke
-
MD5
cedc7e792cca858e878e0275a8d94730
-
SHA1
7a6f2972071c1acea8f9d55dd86b2f6eacbe8813
-
SHA256
557753efc0e16d19a0e07c70f5cd70f0c63967eba8373e07e2c5583ff5b68dc7
-
SHA512
8d977e652c111f4d5cb15f1664e3a30a61d4a63cc6b8e9b90739d8d3bcb56e715ce57032f694d362d214e9962e0fea5cc7746c1edfb69c31df6cd435b3ac3a8f
-
SSDEEP
3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLvJYMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/JzQqqDvFf
Malware Config
Extracted
netwire
45.64.53.236:3360
logins.fofa360.com:3360
-
activex_autorun
false
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\svchost.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
mutex
ooAUTfnR
-
offline_keylogger
true
-
password
C4|m$HKbU$
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
true
Targets
-
-
Target
cedc7e792cca858e878e0275a8d94730N.exe
-
Size
160KB
-
MD5
cedc7e792cca858e878e0275a8d94730
-
SHA1
7a6f2972071c1acea8f9d55dd86b2f6eacbe8813
-
SHA256
557753efc0e16d19a0e07c70f5cd70f0c63967eba8373e07e2c5583ff5b68dc7
-
SHA512
8d977e652c111f4d5cb15f1664e3a30a61d4a63cc6b8e9b90739d8d3bcb56e715ce57032f694d362d214e9962e0fea5cc7746c1edfb69c31df6cd435b3ac3a8f
-
SSDEEP
3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLvJYMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/JzQqqDvFf
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-