General
-
Target
7d4d8865645ff31d355caceae25f90d21d3276ff55bb327266a80792688c9188
-
Size
1.3MB
-
Sample
220731-nsppksfdbq
-
MD5
9277e761dc11031cc9f49e8f96a040d9
-
SHA1
3212f2b4ea86af92533086795e3d779f69686f73
-
SHA256
7d4d8865645ff31d355caceae25f90d21d3276ff55bb327266a80792688c9188
-
SHA512
316f436b6e3e65de8c8339e441661a7bd236fd84a5ea787b32cf7ba760a864e92d1a3f9985c9c108510558f87cdd1888df1639f523424f6a99568a3600b1a7a7
Static task
static1
Behavioral task
behavioral1
Sample
7d4d8865645ff31d355caceae25f90d21d3276ff55bb327266a80792688c9188.exe
Resource
win7-20220718-en
Malware Config
Extracted
netwire
info1.nowddns.com:5552
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Sms v2.0
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
wBXPRhxS
-
offline_keylogger
true
-
password
caster
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
7d4d8865645ff31d355caceae25f90d21d3276ff55bb327266a80792688c9188
-
Size
1.3MB
-
MD5
9277e761dc11031cc9f49e8f96a040d9
-
SHA1
3212f2b4ea86af92533086795e3d779f69686f73
-
SHA256
7d4d8865645ff31d355caceae25f90d21d3276ff55bb327266a80792688c9188
-
SHA512
316f436b6e3e65de8c8339e441661a7bd236fd84a5ea787b32cf7ba760a864e92d1a3f9985c9c108510558f87cdd1888df1639f523424f6a99568a3600b1a7a7
-
NetWire RAT payload
-
Disables Task Manager via registry modification
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-