General
-
Target
4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d
-
Size
431KB
-
Sample
220520-fxg7asebhn
-
MD5
839a358056109761a9323444b0fd7984
-
SHA1
a82b91764532cbc42d96b98b096cefc0f4e21ede
-
SHA256
4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d
-
SHA512
5f6dd1ab2f5925e4fb15b810ea541d54e7a0748c2995b8b832b6f43c1acf4eacb673af65a149ee13fb54a86971f0034e60706f8dd894bf037e9937fe761fe386
Static task
static1
Behavioral task
behavioral1
Sample
4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
netwire
harromex.com:4020
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
true
-
host_id
Grace
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
qofiTxIi
-
offline_keylogger
true
-
password
niconpay$
-
registry_autorun
true
-
startup_name
Netwire
-
use_mutex
true
Targets
-
-
Target
4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d
-
Size
431KB
-
MD5
839a358056109761a9323444b0fd7984
-
SHA1
a82b91764532cbc42d96b98b096cefc0f4e21ede
-
SHA256
4d57cb5106534f8239619dcf140f491c45759cd5b632ca36fe9941a9cb19176d
-
SHA512
5f6dd1ab2f5925e4fb15b810ea541d54e7a0748c2995b8b832b6f43c1acf4eacb673af65a149ee13fb54a86971f0034e60706f8dd894bf037e9937fe761fe386
Score10/10-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-