General
-
Target
74ea48927311f7729e492a810c7ce69730d10c7161fe971363a2f561565f974b
-
Size
1.2MB
-
Sample
220521-c8qe9sfbg4
-
MD5
6807012d3da7b63fde88f40a9fbb57d6
-
SHA1
d1e458e05807c7df506798987d7019ea8c71c05d
-
SHA256
74ea48927311f7729e492a810c7ce69730d10c7161fe971363a2f561565f974b
-
SHA512
56288b85fd0ac2602aedb2e2de0d3e1d804a129469cf7850ab5cef2bc4221467dcd31d65d05bdb8a8c10cb6f593bf3e2830110aada0f0305d770aee665cf4197
Static task
static1
Behavioral task
behavioral1
Sample
SCAN_702.exe
Resource
win7-20220414-en
Malware Config
Extracted
netwire
winx.xcapdatap.capetown:7390
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
Jagz_$$$
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
P@55w0rd!
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
SCAN_702.EXE
-
Size
305KB
-
MD5
a8f1e8384b7604be4ceba25ca83f7134
-
SHA1
61dd45925f9a708069216a915b4b5ffd6555babf
-
SHA256
ccd667e3a1a0577ed841968990cb37790e1e6f0fb4ceb1a2f947ef391d68dd4d
-
SHA512
10621714d096089923664cb0fc5eb7f8af165dc22048ff69c8589ec2ba4c19c41e2888f2bb14713580ada661a53fe86ff155501192ec9f1d4f2277c8bab75e4e
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-