General
-
Target
EC6FB016C581B3691383A5F202171665ADAC9E3AE75014F3F8BA505ADD5B227A
-
Size
637KB
-
Sample
221213-2p4wzsbc9s
-
MD5
4a8fa930a840813a0799a519379c2ac2
-
SHA1
5ce5494dbffb7a31c72307d6a0b49350fbcf2680
-
SHA256
ec6fb016c581b3691383a5f202171665adac9e3ae75014f3f8ba505add5b227a
-
SHA512
dd1d3eaed9477bd82da91c21155ae06018928da974e507edb7367404f6a60b8d67cb2326ebd982f3c759cf3aa82ce9a77bed6e385c83d7d3ba14960121f5c104
-
SSDEEP
12288:/QxE82DMN/ro25G8GHv179kVai6To43vVy331NNnzotS+O3XqQf612RfYkU:/QxEURow4HZaVai4V3v433fNEtBGX4Mk
Static task
static1
Behavioral task
behavioral1
Sample
AUTHORIZATION-FORM.exe
Resource
win7-20221111-en
Malware Config
Extracted
netwire
podzeye2.duckdns.org:4433
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
AUTHORIZATION-FORM.exe
-
Size
885KB
-
MD5
e27ae78966913daae0ee311ad3183814
-
SHA1
ea2f948d948f11a56017c3619660f93cee235046
-
SHA256
22a7c02eac7f7940eba9afa9ca51a179789e22257ffe87cbab02c15360a9fded
-
SHA512
1e5f3c2d216eef94b8268526c56acb022dc80c716759fb098aced1ef25e0d00b92d7fa8d1a8769ceca688256d28cd42c9a922fe623529c9184b29aecb9b669d5
-
SSDEEP
24576:HO/LH9oyLJnMO6sH0VVyiJj374rqVe/t5oyBMRov:uTySOhMqr414mLv
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-