General
-
Target
INV384878348938.exe
-
Size
1017KB
-
Sample
221012-r6ey3sgab8
-
MD5
dc5955217a168760ffeddb431d90ab01
-
SHA1
ae82750bc7a1c1df086464a65998388e72e5af68
-
SHA256
7081a319ab13e92853c07ab0d9d947178e4d615ad77e640109184acdb325b223
-
SHA512
e8d591c304af4a00eb81dbe970b7dafea60342358ac11f4a6ab70471c226ae1e0904353aa894404645e1528985bd2a13062bf089296c7ceab90ca8b45c073703
-
SSDEEP
12288:ALp/8q4UYJIrqMnyNaPHlwsdC9MsbpE7+RdWj/WZsnNK1cWb/v0paqVPxuo6J9S:cYoqAyNaPHlhdYMsbyaRcMsA1cWj9S
Malware Config
Extracted
netwire
podzeye2.duckdns.org:4433
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
INV384878348938.exe
-
Size
1017KB
-
MD5
dc5955217a168760ffeddb431d90ab01
-
SHA1
ae82750bc7a1c1df086464a65998388e72e5af68
-
SHA256
7081a319ab13e92853c07ab0d9d947178e4d615ad77e640109184acdb325b223
-
SHA512
e8d591c304af4a00eb81dbe970b7dafea60342358ac11f4a6ab70471c226ae1e0904353aa894404645e1528985bd2a13062bf089296c7ceab90ca8b45c073703
-
SSDEEP
12288:ALp/8q4UYJIrqMnyNaPHlwsdC9MsbpE7+RdWj/WZsnNK1cWb/v0paqVPxuo6J9S:cYoqAyNaPHlhdYMsbyaRcMsA1cWj9S
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-