General
-
Target
fd28c96c3d45259a13d5e205ff342464025e6f451a258c6a524e6463e7f7fec1
-
Size
227KB
-
Sample
220520-2rt5kafhc3
-
MD5
213b1e3e594c7908af76d807649208c1
-
SHA1
226c95da6310b43b5545f34f6d07d7d2458cec24
-
SHA256
fd28c96c3d45259a13d5e205ff342464025e6f451a258c6a524e6463e7f7fec1
-
SHA512
a1237517281d78ae951ef3daa42301b51c78c91a2e1ab3e5a50067f96428272a99d20d6bc683c79f4686aa92dff02207249af71c02f8064db0d4da2dc0c33757
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.exe
Resource
win7-20220414-en
Malware Config
Extracted
netwire
185.244.29.161:1591
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
NeiqFfto
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Targets
-
-
Target
Swift Copy.exe
-
Size
341KB
-
MD5
b864067e3fa697652752fcd54f2b0621
-
SHA1
b9c2af989e2a4665df92e734bf7e1894ad9b873f
-
SHA256
9b8107f42878501861702cac98baea7034b91231b362ce08741479aaf7c6cf4d
-
SHA512
6e37f92c0833881d8a533e5d696d536af4c10b0b835f5c65d979961a07784ea70ca9ae2942248a32251a892eef296e6c5f9f19ebf71d373320cb5e78a1d8eac5
-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-