General
-
Target
3e5ab6c919f0a1c87267e6eb64da2bc7ea2e5dc3f8e72aba4f92e036c7932540
-
Size
1.8MB
-
Sample
220701-jjxllsadbl
-
MD5
def190718ee77f76ba654dcda072cac4
-
SHA1
25bd8c0996413d5e25605c355f734cefbf634cfc
-
SHA256
3e5ab6c919f0a1c87267e6eb64da2bc7ea2e5dc3f8e72aba4f92e036c7932540
-
SHA512
6aacc4ec3d0a40486f2df1ec384b705e5115138e62ddad03565e9402c54c4ced3cb16f2fd503d173ba2b101f813d8269bbf2da6d1d7dba4cdaf74a006f52567c
Static task
static1
Behavioral task
behavioral1
Sample
3e5ab6c919f0a1c87267e6eb64da2bc7ea2e5dc3f8e72aba4f92e036c7932540.exe
Resource
win7-20220414-en
Malware Config
Extracted
netwire
ml.warzonedns.com:4772
194.5.98.183:4772
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
fvbrHCbc
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
3e5ab6c919f0a1c87267e6eb64da2bc7ea2e5dc3f8e72aba4f92e036c7932540
-
Size
1.8MB
-
MD5
def190718ee77f76ba654dcda072cac4
-
SHA1
25bd8c0996413d5e25605c355f734cefbf634cfc
-
SHA256
3e5ab6c919f0a1c87267e6eb64da2bc7ea2e5dc3f8e72aba4f92e036c7932540
-
SHA512
6aacc4ec3d0a40486f2df1ec384b705e5115138e62ddad03565e9402c54c4ced3cb16f2fd503d173ba2b101f813d8269bbf2da6d1d7dba4cdaf74a006f52567c
-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-