General
-
Target
ORDER SPECIFICATION.js
-
Size
81KB
-
Sample
220620-jgc47adad7
-
MD5
8c577d950786e8262f22dd3c23ca8c07
-
SHA1
a933a3f7da664089ab715ee06ca9fdf17d9ef318
-
SHA256
d6d4d55f2df43c5d2a35a96b53ac0f949673a901ce8aeb41ed1144ecb7b3ba09
-
SHA512
21217ecf4c1f0aba4c72e3a7cb1d49643d506aed4ca59753e052090c4df2d8f2f607c46d7a2b95802f1686f48d45e8ca9fd0cd851ce66ecf6ce88b17db4d7c40
Static task
static1
Behavioral task
behavioral1
Sample
ORDER SPECIFICATION.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ORDER SPECIFICATION.js
Resource
win10v2004-20220414-en
Malware Config
Extracted
netwire
netuwaya.servecounterstrike.com:4734
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
ORDER SPECIFICATION.js
-
Size
81KB
-
MD5
8c577d950786e8262f22dd3c23ca8c07
-
SHA1
a933a3f7da664089ab715ee06ca9fdf17d9ef318
-
SHA256
d6d4d55f2df43c5d2a35a96b53ac0f949673a901ce8aeb41ed1144ecb7b3ba09
-
SHA512
21217ecf4c1f0aba4c72e3a7cb1d49643d506aed4ca59753e052090c4df2d8f2f607c46d7a2b95802f1686f48d45e8ca9fd0cd851ce66ecf6ce88b17db4d7c40
-
NetWire RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-