General
-
Target
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f
-
Size
468KB
-
Sample
221130-rsgwhsbh3z
-
MD5
3468e9349c0de79b3e5f926b8bb4974b
-
SHA1
0d02135533d8529d4971a01c97304fb6a5e093c2
-
SHA256
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f
-
SHA512
11ff9e2dde64154dfc676fd2ddffafd1d83e91772f8d1de616402d51462db495db3e90644d076f61178dc1ed4bb7b0e3aaae65ca6c5c23b89b782a7e47878505
-
SSDEEP
3072:pB84GtuVJRTutkZYITusCSfjyQwnJtgi2OYPOnmT7UPt+lfEPHe1oVvMV1:I4GgVfuoNjyQ6Jt7QdTfdc
Static task
static1
Behavioral task
behavioral1
Sample
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
netwire
extensions14718.sytes.net:3324
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
mutex
pjtcCJSh
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f
-
Size
468KB
-
MD5
3468e9349c0de79b3e5f926b8bb4974b
-
SHA1
0d02135533d8529d4971a01c97304fb6a5e093c2
-
SHA256
36b03b59bcc2eff7658e359576bd23f7f52b9237317addec566f6af09ec2054f
-
SHA512
11ff9e2dde64154dfc676fd2ddffafd1d83e91772f8d1de616402d51462db495db3e90644d076f61178dc1ed4bb7b0e3aaae65ca6c5c23b89b782a7e47878505
-
SSDEEP
3072:pB84GtuVJRTutkZYITusCSfjyQwnJtgi2OYPOnmT7UPt+lfEPHe1oVvMV1:I4GgVfuoNjyQ6Jt7QdTfdc
Score10/10-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-