General
-
Target
a16c2ce4087427f7ea26a1100bebb47a9d5cc46cb9490a1213a29f904d7e62a5
-
Size
1.2MB
-
Sample
220521-d8bgsacacq
-
MD5
38963cf2710e9d4a825893a5673b7281
-
SHA1
ea76747348f5edc0453976d0c9fb2b7b424e8306
-
SHA256
a16c2ce4087427f7ea26a1100bebb47a9d5cc46cb9490a1213a29f904d7e62a5
-
SHA512
0f1676a854a9d8ab39b6fccc9c90f50bff308295eddd29bc287bae5e498bb855e59da4dabcb845c9b5db0cff5af470d8e99053aeed792638325657eb5a01a0d8
Static task
static1
Behavioral task
behavioral1
Sample
IMG SCAN COPY PO ORDER.exe
Resource
win7-20220414-en
Malware Config
Extracted
netwire
twohoes.duckdns.org:1710
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
Turkey
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
Master45
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
IMG SCAN COPY PO ORDER.exe
-
Size
1.1MB
-
MD5
d939a9aa374ef97b17cbaa102ddab108
-
SHA1
4ee65b0f46ef7b369589544faa212cbd790298b9
-
SHA256
1ac8944d42d3a594940bbd74613193bc47430b6c6c958caf9a5b4521bd9efb91
-
SHA512
f0557cc439f35dadbae662fe5295acdccfa481899c44cd50bd0f3f3fae4d39e4a7aa2f7ae42c91f1541d22fc4e87a1fffac7051cc84fb1ae568715a63cf2eaf1
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-