General
-
Target
602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2
-
Size
1.4MB
-
Sample
220731-g4r6hsddcl
-
MD5
77f0f467f4dd24a29e61427720c0ca1e
-
SHA1
7877047c7ac9bf91a13a7c5d6eae70460f3d3d5b
-
SHA256
602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2
-
SHA512
078e4904880602085ac61e016c5bc3a8fd4081b4b46f8d15fa594211b9224324e21765e58706c86b2bfbc21cda2d85220fd8b53ebc38bb4f46f5545ee8d6e5d8
Static task
static1
Behavioral task
behavioral1
Sample
602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2.exe
Resource
win7-20220715-en
Malware Config
Extracted
netwire
185.125.205.84:6394
-
activex_autorun
true
-
activex_key
{A21KRE7N-163G-58R1-55FA-N5EO6T322124}
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Extracted
formbook
3.9
ch
sfbayfoodie.com
tridonics.com
got-stuff.com
vvk2.com
legacytrailsurgery.com
lintec-europeuk.com
pqbs4all.online
tensionon.com
5pkmko5-ddz.com
anuvallie.com
chornatastudio.com
hydroponic.today
soluinformatic.com
senero.info
pdblm.com
zumarecordings.com
vfun.ltd
hanyiwaimai.com
sourcingdog.com
hntgwl.com
katzenpension-happycat.com
mellovr.com
mybabyrompers.com
randolphinsnc.com
wemuggle.com
asalusul.online
myfireatl.com
hskclub.com
sherry5.com
ukpropertyessentials.com
bionanox.com
wnrjqq.info
uploadmetothe.cloud
aplusmathematicstution.com
lookez-nous.com
districtnewsbeat.com
media-think.com
arquitecturacoherente.com
wobe.ltd
philips-futurelab.com
iaminvisiblebeauty.com
businessfinancialaid.com
facehack.tech
eurodak.com
dvubfs.men
vrbitman.com
gwia.business
thenumberfactory.com
verify-sms-id.com
fortun8.enterprises
relydorn.net
metanewpower.com
wyn.vin
61666hb.com
cybertronichosting.com
26999dd.com
lefraje.com
8v9c.com
softwarevest.com
daotaonghethammythequeen.com
andreas-theurer.info
metodobrains.net
softonlab.com
terminalstream.com
wireboz.com
Targets
-
-
Target
602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2
-
Size
1.4MB
-
MD5
77f0f467f4dd24a29e61427720c0ca1e
-
SHA1
7877047c7ac9bf91a13a7c5d6eae70460f3d3d5b
-
SHA256
602c739be9c3c942bc0684d824d5aa52ff7bca30abb2c8261dc0106c2571b7a2
-
SHA512
078e4904880602085ac61e016c5bc3a8fd4081b4b46f8d15fa594211b9224324e21765e58706c86b2bfbc21cda2d85220fd8b53ebc38bb4f46f5545ee8d6e5d8
-
NetWire RAT payload
-
Formbook payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-