General
-
Target
322d2fdb6bdefc516d4be643bce9f464abdaf8aa24d50ac30bcf9d59d084c8a1
-
Size
269KB
-
Sample
230129-t2wr5sfb9v
-
MD5
f61e07061a9240bcc953a8a51aca7145
-
SHA1
3d209df832fef255d971c7c3f9d71ffda29a06b5
-
SHA256
322d2fdb6bdefc516d4be643bce9f464abdaf8aa24d50ac30bcf9d59d084c8a1
-
SHA512
c0e0e9d2cfaaf252b3401ab44d695ff895b6cefad0e0692df2b2577356546a7803eb8579aa95f297a4640b3ebeb12b9a47fd9dbc5b01ff5957523c547e721aac
-
SSDEEP
6144:U8vJG2WGCVV+qyb6UPPWdRTdPfLipUwCzoNeEKFAqBOPjnkXbT:UYJIXVVbY6UPP6RTdPBwNeE+QbO
Static task
static1
Behavioral task
behavioral1
Sample
Quotation CTT5684.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Quotation CTT5684.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
netwire
iammrjeff00.duckdns.org:1181
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
MR-J
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password1
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
Quotation CTT5684.exe
-
Size
577KB
-
MD5
870937bfc582473b8b55263cdd9de6c2
-
SHA1
53ef5972b622a434b1fe5e4697445a54e8b387b1
-
SHA256
5e9b3af8cce827e801b56da7dcacf0453baeea54f5df0c66607d9cffa2e76886
-
SHA512
9b883059a465f8d4d468bbb1b17b1020f7fc5874d42176f3ce1682a29ff1841709dcd44502ef8bd411807b12084ead57e02f12db01b151cbf5c7d012acb250d6
-
SSDEEP
12288:vUWcNPJg+MO3/vSLDrw32Zl1zLbHWEpPmB+Rm4mXN4HJUCePad0VL6lwP0FzWSgk:/cJArl1zLbHWEpPmB+Q4mXKHKCePad0w
Score10/10-
NetWire RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-