General
-
Target
9530267408a020ad51d1152af9d09129f78ac294080ba334cc6843a9a44d07e6
-
Size
962KB
-
Sample
220520-ryvpkagff6
-
MD5
ec95eb77dd1677247650557c9d335a2e
-
SHA1
c363936a59e10cc2eb2934d420964b5a0bf96892
-
SHA256
9530267408a020ad51d1152af9d09129f78ac294080ba334cc6843a9a44d07e6
-
SHA512
28540b21dfb1815a58ba3051c5e91f74e59a68ce2ff81288e8f49e4bbfdd47a3bf276eee7d117a621363c3cccb572a8d357ded2b55edd09015cbd7bc73ea2b4c
Static task
static1
Behavioral task
behavioral1
Sample
Proof of Payment.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Proof of Payment.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
netwire
154.16.93.182:3361
154.16.93.182:3368
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
south123456
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
Proof of Payment.exe
-
Size
1.1MB
-
MD5
f818cb764aab5e0d02545172edf9d6a3
-
SHA1
019ed52ad6f7026e83ce7ed2c63d3ca62f3d9276
-
SHA256
5f2b6faf1de19342f874c50bad45b66727e24218cd8d2610f7d3fbb5d47cccab
-
SHA512
f4d635f57e2ed13b2f3a3ed057ed9da08bcda819c8925049d0b0fb60f3c9c461646c353d39f85766e6309b324a27f091aef3591fcdc49a1765648635a0acf1ab
Score10/10-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-