General
-
Target
3f4db563fac37765d5f612bb244a4c85b2c908449a9bd317bb1842e385e8293d
-
Size
371KB
-
Sample
220701-cg5e4shbg7
-
MD5
f580d7dc4241c8be26ba058a74678661
-
SHA1
efa6811c33a36c189c980d6564b9aeba4f66bc05
-
SHA256
3f4db563fac37765d5f612bb244a4c85b2c908449a9bd317bb1842e385e8293d
-
SHA512
7556217dfb94d4954c7c7bed8f3783e5181e9207f867ac5e88e0523d6e3e09ae7bf806167ab753765bfd6389be15f9cf1a13fff69e2c2ca2b2ddb3c17fb6c3c3
Static task
static1
Behavioral task
behavioral1
Sample
3f4db563fac37765d5f612bb244a4c85b2c908449a9bd317bb1842e385e8293d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3f4db563fac37765d5f612bb244a4c85b2c908449a9bd317bb1842e385e8293d.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
netwire
pustios.ug:6971
testingskapss.ru:6971
papapamels.ru:6971
testingskapss.su:6971
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
mutex
JTbRfkgY
-
offline_keylogger
false
-
password
ppF7"oRyqm
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
3f4db563fac37765d5f612bb244a4c85b2c908449a9bd317bb1842e385e8293d
-
Size
371KB
-
MD5
f580d7dc4241c8be26ba058a74678661
-
SHA1
efa6811c33a36c189c980d6564b9aeba4f66bc05
-
SHA256
3f4db563fac37765d5f612bb244a4c85b2c908449a9bd317bb1842e385e8293d
-
SHA512
7556217dfb94d4954c7c7bed8f3783e5181e9207f867ac5e88e0523d6e3e09ae7bf806167ab753765bfd6389be15f9cf1a13fff69e2c2ca2b2ddb3c17fb6c3c3
Score10/10-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-