General
-
Target
INV384878348938.7z
-
Size
672KB
-
Sample
221012-r6ey3sgahq
-
MD5
7b8897c077d01bb074220fedac38011a
-
SHA1
1873db8b5ebdc6a524f38f7436605199756ac0cd
-
SHA256
6c6494084e0ca15ebc1387167778f9d8272c381b3b095897569bc9e0c450e087
-
SHA512
fc7e1d7bea717816da5f4a5780386fc2a2b44817bc058d90e23a583aeb036ee5124e057f1e66aecf1790255f70df1297c42409b742308d4aead060e592d65fe3
-
SSDEEP
12288:u/gMFPRfL3UFHIrjrnRN5aRlwsodsMsjpS1sRdkF/mZfnNKQcWbCv5idfHK:igMjfLkFijTRN5aRlhouMsjweR8cfAQE
Malware Config
Extracted
netwire
podzeye2.duckdns.org:4433
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
INV384878348938.exe
-
Size
1017KB
-
MD5
dc5955217a168760ffeddb431d90ab01
-
SHA1
ae82750bc7a1c1df086464a65998388e72e5af68
-
SHA256
7081a319ab13e92853c07ab0d9d947178e4d615ad77e640109184acdb325b223
-
SHA512
e8d591c304af4a00eb81dbe970b7dafea60342358ac11f4a6ab70471c226ae1e0904353aa894404645e1528985bd2a13062bf089296c7ceab90ca8b45c073703
-
SSDEEP
12288:ALp/8q4UYJIrqMnyNaPHlwsdC9MsbpE7+RdWj/WZsnNK1cWb/v0paqVPxuo6J9S:cYoqAyNaPHlhdYMsbyaRcMsA1cWj9S
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-