General
-
Target
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651
-
Size
813KB
-
Sample
220630-3tlfwaefa6
-
MD5
c78cc437caa7edfc9c3494c58b017e8a
-
SHA1
61cbbf0bef3c282c12a88fa927ce1447caffb3f7
-
SHA256
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651
-
SHA512
bf049956c7cbf887820027f658a89f3833dccef089b50beaf3d60b8a8e539947728710d218a03d5948e9ae9b15e6640557425822daa57ef4b248bba7e81431f5
Static task
static1
Behavioral task
behavioral1
Sample
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651.exe
Resource
win7-20220414-en
Malware Config
Extracted
netwire
blackhills.ddns.net:1030
213.183.58.34:1031
-
activex_autorun
false
-
copy_executable
true
-
delete_original
true
-
host_id
Lord Of Sabbath
-
install_path
%AppData%\Roaming\svchost.exe
-
lock_executable
true
-
mutex
conhost
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651
-
Size
813KB
-
MD5
c78cc437caa7edfc9c3494c58b017e8a
-
SHA1
61cbbf0bef3c282c12a88fa927ce1447caffb3f7
-
SHA256
3fa2905c28d4a7835efb745dc22ba8a033e46be44085d8db48be2a525cf3f651
-
SHA512
bf049956c7cbf887820027f658a89f3833dccef089b50beaf3d60b8a8e539947728710d218a03d5948e9ae9b15e6640557425822daa57ef4b248bba7e81431f5
-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-