General
-
Target
NSC 070047YI6 GBO93680 JANUARY ORDER.lzh
-
Size
593KB
-
Sample
230123-mv5m5sef2s
-
MD5
a757d2acf4225a9556a5f80140ff4a65
-
SHA1
c5b21f965aee6c74e713735e9bbbd79c746f5eeb
-
SHA256
99a7781a00d13830758f2d12a22ddd3482c25746f4eb8bbbd589570e12ceeb52
-
SHA512
5e4ed81e1a6e762733a99db9881119ccfd460f77b1e9b9a89beb540b79cc4ced725d4000fe9430676a353f25d1a5bdbd4dec164a5759fef2bcccf65aeefd89e0
-
SSDEEP
12288:1HWjNnqdiqRtp4qn89lH2i9aSPRRFGfPASYJZQ45uNr/HpmbRSWU7WzROCo:YjNnqQqRH8/WdSbUlY6NToRSh7Wz0Co
Static task
static1
Behavioral task
behavioral1
Sample
NSC 070047YI6 GBO93680 JANUARY ORDER.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
NSC 070047YI6 GBO93680 JANUARY ORDER.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
netwire
212.193.30.230:6063
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
TestLink.lnk
-
lock_executable
false
-
offline_keylogger
false
-
password
Password123@
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
NSC 070047YI6 GBO93680 JANUARY ORDER.exe
-
Size
668KB
-
MD5
223b07d0d0f8f545b660ee7198e27ba9
-
SHA1
13ad5ae4e4df4b1349cb2f4c45ddbecc92b94602
-
SHA256
a0e2fc3dbb2e0862936be3007baa6dc35414282c518fda50e57f0d0f6f98c570
-
SHA512
e34615a0cbf95495aa87f076c87b0b83ec661dba5dfbc9e1acbe8bc16d019e43a5e609073fc632d536f2ac3648013b6d29b2be7aa61dc0b938164e7627d7c58a
-
SSDEEP
12288:yduL66BBZ9/XT5npnRSU+L3IvaMzJ2JAtML7fYYsoefV:9LVP3r51wU+Qd1XMLL9shfV
Score10/10-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-