General
-
Target
tmp
-
Size
1.1MB
-
Sample
220928-ljfzzagfek
-
MD5
3fbd38a88a5302483a14d8fa2510faf9
-
SHA1
776a02c79a42da5ec021aa1cbd7ac19367d6cb07
-
SHA256
3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153
-
SHA512
24b06af982e636f5faca9eca61958dc87a5ac4a272c789be842ff2c0f5e4f4cb5baf37186690d0c7c83ad65a45eef0ddc71d2f364da0c0d13e44c4335c515bb3
-
SSDEEP
24576:UAOcZXcxP6qNenHO4jTZpFY1q8LPHYOoW6Viduv:CH9CHO4HZXYIwQOolIduv
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
netwire
37.0.14.206:3384
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password234
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
tmp
-
Size
1.1MB
-
MD5
3fbd38a88a5302483a14d8fa2510faf9
-
SHA1
776a02c79a42da5ec021aa1cbd7ac19367d6cb07
-
SHA256
3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153
-
SHA512
24b06af982e636f5faca9eca61958dc87a5ac4a272c789be842ff2c0f5e4f4cb5baf37186690d0c7c83ad65a45eef0ddc71d2f364da0c0d13e44c4335c515bb3
-
SSDEEP
24576:UAOcZXcxP6qNenHO4jTZpFY1q8LPHYOoW6Viduv:CH9CHO4HZXYIwQOolIduv
Score10/10-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-