General
-
Target
PO 59536023 VFD.exe
-
Size
953KB
-
Sample
230110-q2zl9aca7y
-
MD5
6a52e9d53286f8afcc2d70296e953e4d
-
SHA1
43e174cb6f5092a4061605d94a277ced24dbca33
-
SHA256
0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2
-
SHA512
dada61a358535d7e558bed5e8a1247d591c346d00abee0c49b922b672701db970cc31f6645fddef180b99e862deb3c6d88ee3d8c9803847bc93dfa8d3f6d289c
-
SSDEEP
24576:5gh/CSy9mYIxf6gGo5ZG7BoYs5nyyx+NxEyaJu:Kh/CmXZIxs5nyC+Nqya
Static task
static1
Behavioral task
behavioral1
Sample
PO 59536023 VFD.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PO 59536023 VFD.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
netwire
212.193.30.230:6063
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
TestLink.lnk
-
lock_executable
false
-
offline_keylogger
false
-
password
Password123@
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
PO 59536023 VFD.exe
-
Size
953KB
-
MD5
6a52e9d53286f8afcc2d70296e953e4d
-
SHA1
43e174cb6f5092a4061605d94a277ced24dbca33
-
SHA256
0223813f145061b2f72575be4d6dfa4888d41e7c5dd5d64fc577de9cf4b340b2
-
SHA512
dada61a358535d7e558bed5e8a1247d591c346d00abee0c49b922b672701db970cc31f6645fddef180b99e862deb3c6d88ee3d8c9803847bc93dfa8d3f6d289c
-
SSDEEP
24576:5gh/CSy9mYIxf6gGo5ZG7BoYs5nyyx+NxEyaJu:Kh/CmXZIxs5nyC+Nqya
Score10/10-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-