General
-
Target
Payment Receipt.exe
-
Size
857KB
-
Sample
221104-3c4wwsdghn
-
MD5
c1c565573c2e426e0a9e69fed42d4797
-
SHA1
ef6354188bb751628852c7e35a6999b1d059da0a
-
SHA256
2387dfd712b954c865bb4927f0628c54bf30b9a115b2383c2dff63456885463a
-
SHA512
556ee6a18f716f06217e3c9d6599bc76400c1edb3306485f8be7263033b64aca73085add0811ef01e49556bd3116a2f4b7369760feb32523644d2f6d3f1cee47
-
SSDEEP
12288:HOBVfs2sFLTAehm8buS89W7sATlCxy8CJ62f6a5CW5v6RsPHXc3b78eR5j:q8TAqbDNTyGJdf6A5HHXc338ePj
Static task
static1
Behavioral task
behavioral1
Sample
Payment Receipt.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Payment Receipt.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
netwire
zonedx.ddns.net:3360
85.209.134.105:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password9090
-
registry_autorun
true
-
startup_name
NetWire
-
use_mutex
false
Targets
-
-
Target
Payment Receipt.exe
-
Size
857KB
-
MD5
c1c565573c2e426e0a9e69fed42d4797
-
SHA1
ef6354188bb751628852c7e35a6999b1d059da0a
-
SHA256
2387dfd712b954c865bb4927f0628c54bf30b9a115b2383c2dff63456885463a
-
SHA512
556ee6a18f716f06217e3c9d6599bc76400c1edb3306485f8be7263033b64aca73085add0811ef01e49556bd3116a2f4b7369760feb32523644d2f6d3f1cee47
-
SSDEEP
12288:HOBVfs2sFLTAehm8buS89W7sATlCxy8CJ62f6a5CW5v6RsPHXc3b78eR5j:q8TAqbDNTyGJdf6A5HHXc338ePj
Score10/10-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-