General
-
Target
tmp
-
Size
75KB
-
Sample
220718-cqfhcahhel
-
MD5
59b5570fd782ef0503a49fd7470200b6
-
SHA1
1738e6b2ecb79b85e950a9734469404002cbb195
-
SHA256
f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650
-
SHA512
2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Malware Config
Extracted
netwire
194.5.98.188:3364
194.5.98.188:3366
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
j5m52xuc
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
tmp
-
Size
75KB
-
MD5
59b5570fd782ef0503a49fd7470200b6
-
SHA1
1738e6b2ecb79b85e950a9734469404002cbb195
-
SHA256
f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650
-
SHA512
2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-