General
-
Target
INVOICE00543.exe
-
Size
666KB
-
Sample
220812-j7q4qsdcg3
-
MD5
dfb8147fe8e22fb63d4953cbe8d6742d
-
SHA1
95bd5bd63a3ee48a8b54e53c441d0dd2c896dfce
-
SHA256
ae2f65dc73b9f6946ced973c5dd998d53123110a8c7a4ad6d88e7cc56d9e3d6d
-
SHA512
186e15dd64bdc3d01395118a3ebdfbbd392eaaa1d387f1b762dfcba80f3024c344e39e7fca537e3752d5d627ca73e3bb468834528431bd9987e5cc1ff0bd210e
Malware Config
Extracted
netwire
212.193.30.230:3345
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@9
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
INVOICE00543.exe
-
Size
666KB
-
MD5
dfb8147fe8e22fb63d4953cbe8d6742d
-
SHA1
95bd5bd63a3ee48a8b54e53c441d0dd2c896dfce
-
SHA256
ae2f65dc73b9f6946ced973c5dd998d53123110a8c7a4ad6d88e7cc56d9e3d6d
-
SHA512
186e15dd64bdc3d01395118a3ebdfbbd392eaaa1d387f1b762dfcba80f3024c344e39e7fca537e3752d5d627ca73e3bb468834528431bd9987e5cc1ff0bd210e
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-