General
-
Target
hd.sentinel.pro.4.x-5.x-Patch.exe
-
Size
356KB
-
Sample
240913-pyw7aa1ejn
-
MD5
05a20a1a555d11e3981867f46b64e696
-
SHA1
a69dbc6ea5176d692d700b2fb69b8b21a9176208
-
SHA256
08b27ef5cca3892b6ed39bb59985c9e6295b4cdc2d89a52dd65040f0f995e3f2
-
SHA512
a68b3319d728e980f41771c4a2d973ba34c129f49b4f3e3ac8bff1f18ac5732e60b48f532d61939d4a4cca79f112a6248dd9f4421503479ce109fba7d7841e99
-
SSDEEP
6144:TuxXeDoNSbUkmUGBfwX9SKtVzK4ZjgAlvNarXdoadhg:TuODoNuhGB4oKtVzK4ZUAlVaDeaTg
Malware Config
Extracted
netwire
haija.mine.nu:1616
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
hd.sentinel.pro.4.x-5.x-Patch.exe
-
Size
356KB
-
MD5
05a20a1a555d11e3981867f46b64e696
-
SHA1
a69dbc6ea5176d692d700b2fb69b8b21a9176208
-
SHA256
08b27ef5cca3892b6ed39bb59985c9e6295b4cdc2d89a52dd65040f0f995e3f2
-
SHA512
a68b3319d728e980f41771c4a2d973ba34c129f49b4f3e3ac8bff1f18ac5732e60b48f532d61939d4a4cca79f112a6248dd9f4421503479ce109fba7d7841e99
-
SSDEEP
6144:TuxXeDoNSbUkmUGBfwX9SKtVzK4ZjgAlvNarXdoadhg:TuODoNuhGB4oKtVzK4ZUAlVaDeaTg
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-