General
-
Target
PL & CL INV08387493.exe
-
Size
1.0MB
-
Sample
220902-pewreadffn
-
MD5
78e5c06c3b4a4f96a266672092b05556
-
SHA1
32083828685d58ff385cc89989201c165922c178
-
SHA256
842ad6e2178d34dd7c823fbee5379873172dbc85d5f2844c24f11ea536096999
-
SHA512
c7e8e5a2a2db6f9395fb01a4855de5996f80facf90d368ca22c3009612d9688b96a107ed12efcee5f30014dbec7617743c9235d1099f026719871f1fc41a97ef
-
SSDEEP
24576:iZ503X34ojAZqhZSBhdDU+ZCowOyOXY+mzo3bv:k50ooQ8abUMrlmzM
Static task
static1
Behavioral task
behavioral1
Sample
PL & CL INV08387493.exe
Resource
win7-20220901-en
Malware Config
Extracted
netwire
podzeye2.duckdns.org:4433
podzeye2.duckdns.org:4411
podzeye2.duckdns.org:4422
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
PL & CL INV08387493.exe
-
Size
1.0MB
-
MD5
78e5c06c3b4a4f96a266672092b05556
-
SHA1
32083828685d58ff385cc89989201c165922c178
-
SHA256
842ad6e2178d34dd7c823fbee5379873172dbc85d5f2844c24f11ea536096999
-
SHA512
c7e8e5a2a2db6f9395fb01a4855de5996f80facf90d368ca22c3009612d9688b96a107ed12efcee5f30014dbec7617743c9235d1099f026719871f1fc41a97ef
-
SSDEEP
24576:iZ503X34ojAZqhZSBhdDU+ZCowOyOXY+mzo3bv:k50ooQ8abUMrlmzM
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-