General
-
Target
Payment Slip.exe
-
Size
665KB
-
Sample
221101-nfzzsabda4
-
MD5
34dd3c65abeca163b3347a7623d5dfa9
-
SHA1
439b3d605cdbfbd34d9d9f66c9c4851dfd41fc25
-
SHA256
8f24221caef706d4502572968c0cf1317e632ebcb64157a5a1dafbdde7fc642c
-
SHA512
769e85ac91e207fdb5118b8da6b4d62152e3f18b59dbb3d8136f44bfe38200f4dea27d0c44183b2583cfdf22622cca81831fd201ec2cc200881fc0cc17179d47
-
SSDEEP
12288:1T6whuJ/Qvhzps7225LN2/4c2J8skPiTMLEF00WlCJm19H2n7T9jFPuUTi8DPN/P:nuJIs7229N2/O8sMBwF00WlC09H0T9jd
Malware Config
Extracted
netwire
zonedx.ddns.net:3360
85.209.134.105:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password9090
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
false
Targets
-
-
Target
Payment Slip.exe
-
Size
665KB
-
MD5
34dd3c65abeca163b3347a7623d5dfa9
-
SHA1
439b3d605cdbfbd34d9d9f66c9c4851dfd41fc25
-
SHA256
8f24221caef706d4502572968c0cf1317e632ebcb64157a5a1dafbdde7fc642c
-
SHA512
769e85ac91e207fdb5118b8da6b4d62152e3f18b59dbb3d8136f44bfe38200f4dea27d0c44183b2583cfdf22622cca81831fd201ec2cc200881fc0cc17179d47
-
SSDEEP
12288:1T6whuJ/Qvhzps7225LN2/4c2J8skPiTMLEF00WlCJm19H2n7T9jFPuUTi8DPN/P:nuJIs7229N2/O8sMBwF00WlC09H0T9jd
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-