General
-
Target
Payment confirmation.exe
-
Size
744KB
-
Sample
220816-p4ngbshbhq
-
MD5
2274229a80d18978482606d9f1e90803
-
SHA1
7c6bcb372543c6a42f8888c1eb11c27ed2a7fd98
-
SHA256
cdee2421636a518cb027f5670691b8f879676a67516d7fb525432ca74efe6bee
-
SHA512
6806daa7f21737e2721b061fa89c166b1615bf0e11400db657dbfd74b6c91d698e929dc0289efc4e7c9e07e48bb972db91c7d485dc56ce9bb9bf60c92212d0ab
-
SSDEEP
12288:RtoaV1ki3YjdK+ZsGfXa24Lz/qMniCgZSAZdY+rcGdo+cQI5At4Mw/+/S:RtfVui3YjdKM+LzyoFWdh/do+ttml
Static task
static1
Behavioral task
behavioral1
Sample
Payment confirmation.exe
Resource
win7-20220812-en
Malware Config
Extracted
netwire
185.140.53.61:3363
185.140.53.61:3365
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
move4ward
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
Payment confirmation.exe
-
Size
744KB
-
MD5
2274229a80d18978482606d9f1e90803
-
SHA1
7c6bcb372543c6a42f8888c1eb11c27ed2a7fd98
-
SHA256
cdee2421636a518cb027f5670691b8f879676a67516d7fb525432ca74efe6bee
-
SHA512
6806daa7f21737e2721b061fa89c166b1615bf0e11400db657dbfd74b6c91d698e929dc0289efc4e7c9e07e48bb972db91c7d485dc56ce9bb9bf60c92212d0ab
-
SSDEEP
12288:RtoaV1ki3YjdK+ZsGfXa24Lz/qMniCgZSAZdY+rcGdo+cQI5At4Mw/+/S:RtfVui3YjdKM+LzyoFWdh/do+ttml
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-