General
-
Target
Proof of payment.exe
-
Size
796KB
-
Sample
220920-snfy4ahbam
-
MD5
4f1dde6a0e85ec1f25111ff2e89dd9b8
-
SHA1
1500830e31d710531398faec93e0d72ce5ff3f22
-
SHA256
87ce6467d71023d696315cd06d578f2a17218012beba5502744779614fc67f08
-
SHA512
1eaf18e562b52d293eed3ed0c61d9a077c3d8b12a08c86f8bf44a3d93b5d34fa515db5cbd3b9d22e7015c7279bf6573cbd7e0fb17987cee4b560955931b5949b
-
SSDEEP
12288:hJp7/xpfrKI9Ne/flL3MICFcG52Kh2mIDQfdADqjJ5n:9vfr1kN3NCWGT6Qljr
Static task
static1
Behavioral task
behavioral1
Sample
Proof of payment.exe
Resource
win7-20220812-en
Malware Config
Extracted
netwire
37.0.14.214:3346
37.0.14.214:4478
37.0.14.214:3469
37.0.14.214:3565
37.0.14.214:3360
37.0.14.214:5589
37.0.14.214:6425
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
move4ward
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
Proof of payment.exe
-
Size
796KB
-
MD5
4f1dde6a0e85ec1f25111ff2e89dd9b8
-
SHA1
1500830e31d710531398faec93e0d72ce5ff3f22
-
SHA256
87ce6467d71023d696315cd06d578f2a17218012beba5502744779614fc67f08
-
SHA512
1eaf18e562b52d293eed3ed0c61d9a077c3d8b12a08c86f8bf44a3d93b5d34fa515db5cbd3b9d22e7015c7279bf6573cbd7e0fb17987cee4b560955931b5949b
-
SSDEEP
12288:hJp7/xpfrKI9Ne/flL3MICFcG52Kh2mIDQfdADqjJ5n:9vfr1kN3NCWGT6Qljr
-
NetWire RAT payload
-
Looks for VirtualBox Guest Additions in registry
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-