General
-
Target
RECHNUNG99787383.exe
-
Size
857KB
-
Sample
220816-larecaaab7
-
MD5
ac6b0cfa28b1f13f4ca69b7a6e74c82c
-
SHA1
b77d0f43a3b2df7eb56234f477a502a3d3ce3edb
-
SHA256
c687dcb5a0a34be93b34f8a28fdd70c929aa92815480383640b4c8f79edd4e1d
-
SHA512
3725fc990caaff57ff2940e24fd34db83f7cdaf8736690cb255e9b680d8fa0c87e16e4542b1c8f182161815efeb8997fda8d9de27ad9b3430626044a4cc73946
Static task
static1
Behavioral task
behavioral1
Sample
RECHNUNG99787383.exe
Resource
win7-20220812-en
Malware Config
Extracted
netwire
xman2.duckdns.org:4433
xman2.duckdns.org:4411
xman2.duckdns.org:4422
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
RECHNUNG99787383.exe
-
Size
857KB
-
MD5
ac6b0cfa28b1f13f4ca69b7a6e74c82c
-
SHA1
b77d0f43a3b2df7eb56234f477a502a3d3ce3edb
-
SHA256
c687dcb5a0a34be93b34f8a28fdd70c929aa92815480383640b4c8f79edd4e1d
-
SHA512
3725fc990caaff57ff2940e24fd34db83f7cdaf8736690cb255e9b680d8fa0c87e16e4542b1c8f182161815efeb8997fda8d9de27ad9b3430626044a4cc73946
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-