General
-
Target
af5f5520e428ff03c99d655b7d8968a659f788a6a93284e0121ce0814ebb38d8
-
Size
154KB
-
Sample
220521-n76lmsege7
-
MD5
a919abd1954ba7fbc64698888c51b109
-
SHA1
64dd08e93b94e2cf5c69da11530e38467d43d637
-
SHA256
af5f5520e428ff03c99d655b7d8968a659f788a6a93284e0121ce0814ebb38d8
-
SHA512
092b8c6c69cff17ec8242d2977e285a26ed923c9534f5a41dc5319ab76ba145ec7dda5f887880e83a79bbfd3dc5c25bdcd5ee4c37581b6ce0c495fb948f27b91
Static task
static1
Behavioral task
behavioral1
Sample
15-08-2020 - SOFT COPY_PAYMENT SLIP.exe
Resource
win7-20220414-en
Malware Config
Extracted
netwire
iphanyi.duckdns.org:3360
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
SMS_Group
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
caster123
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
15-08-2020 - SOFT COPY_PAYMENT SLIP.exe
-
Size
234KB
-
MD5
e792eb4a972110714df6761ef60284c6
-
SHA1
91bb096d730ca536a0f18534acdec271bdd0eefa
-
SHA256
b6f5a289ab47b790c1bc57a5a3b35871fc968da66ebb3fdd7669de18c2ba3dd5
-
SHA512
40ebe7bd5b18845710cfb3116888d16da8a9fd6c1d53a39000103feac45c1dfeaa4efa05104072313973d5fb87b62b06ea3c697513b4303c45124d020b22eead
-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-