General
-
Target
DA405198039CD58C1D5DD3E7AE8A26E024C2E3AB70A56B4111992974E531A7D2
-
Size
687KB
-
Sample
221114-tjr18scd82
-
MD5
441592a266a78676aa9ab0f0e3cbcb6d
-
SHA1
8874bf82d7be87e9b9b00cde4d8bf6cc2a77b0eb
-
SHA256
da405198039cd58c1d5dd3e7ae8a26e024c2e3ab70a56b4111992974e531a7d2
-
SHA512
5652ba23501178ea07c7d9b9a9ffd93cc92dfa1b482ab070dba1b731fb87b9ef0c4e24b1ee5f1b3abc8fed64b607d4aec6b81b91214921d5fe5c298d27faa420
-
SSDEEP
12288:u/RlhuXSBNTiQdxKDSYVeVS0kBbX/IqyzvCokDxFmsg7Tlv39jybfnbd:upOXa20KuS0kRX/IjzvVkDx7gPt3QrJ
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA09473773.exe
Resource
win7-20220901-en
Malware Config
Extracted
netwire
podzeye2.duckdns.org:4433
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
FACTURA09473773.exe
-
Size
869KB
-
MD5
765188ba741378b933fe5031593c3237
-
SHA1
0e9bcebaba138d15f24de1129cc8799905a5b16c
-
SHA256
481f3d87a7521d78973241b978e076e2a19beacd54a2307d444f760e47f5589e
-
SHA512
a3b45caf7ac994740f919ed7eda0e596dcbd20ce991e9c159201124f63b3db8181019806f5daa0b5decce6e093613c6145cb4b1b97b0fbefc243c16346f481a3
-
SSDEEP
24576:l1CFvW+Sg3pOVI+jODkjxKgr83io3F93:lYFua3iI+6Ijsgr8SoV9
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-