General
-
Target
ORDER-00349809348.7z
-
Size
653KB
-
Sample
220920-h41ckafhaj
-
MD5
8dd5fa9feecf9e187f4e960da4448e9f
-
SHA1
47a42ca7fc430fbfce8135fc57812ffd551a880a
-
SHA256
1a7128a1520a84c3516609e01ccc4888949579115956424489ff81e34c26673d
-
SHA512
9f727e6320dd6c0ea5b016da1a47722b99b9ea2556cdd30eb133ecae1285d7db5c1bcf50079535ddb5b661bebdb639ad069694513c4462a061cd741d7a0e84f1
-
SSDEEP
12288:OSQnr/wpJFrSW3nT1uNwuLksoeldrkiVdmb4Yg7+4xr/cPcSxg4Eb7bq:auL3TOrQG67g7r/cUuWb7bq
Static task
static1
Behavioral task
behavioral1
Sample
ORDER-00349809348.exe
Resource
win7-20220812-en
Malware Config
Extracted
netwire
podzeye2.duckdns.org:4411
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
ORDER-00349809348.exe
-
Size
953KB
-
MD5
705e29680f4f0f0310b4680e05f053d0
-
SHA1
15ab85f450c8fd3e7d25a7889dc658fdfcee9ede
-
SHA256
444eb9da59786055bffa5f9d294fc26edc82a7b31975383efb7f2b9764402cf5
-
SHA512
1290bd274a3b4d426edd46d5597f05d8e056cbae92c5eda29616264cdf28fc6387f282e4188dff740e1aeed86974ffdb22ca70dab0e9e2c7a49ff218d932779e
-
SSDEEP
12288:KFnvWXswpJFQLW3pTLPRVS6IsoDJdrDpvdoxZYg1+kWA/hP1SBh71B:+Wx73ZdmnbAagsA/h9s
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-