General
-
Target
Proof of Payment.exe
-
Size
6KB
-
Sample
230207-lnrx2aah53
-
MD5
043487225e3f9b3e4c203e74d9ea5262
-
SHA1
9eabb7c17cf1bd6ae8d18612d14447c2bed4b77f
-
SHA256
376510f81da04b06b0ea217c5cf45b7798459f50a7162dc09737faaefd8a4232
-
SHA512
0cf417017856c16a605f2ec69d1bec846b08442b3bd6f9bce7b63246908953d8b44545a69c9beef8d11d40211cac0934a49946ea263c61d375b0c6725da6c862
-
SSDEEP
96:2Sv26u0DjhVa6nScDjDtLr0G86kxNlTzNt:/26nbScvOJHxv1
Static task
static1
Behavioral task
behavioral1
Sample
Proof of Payment.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Proof of Payment.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
netwire
212.193.30.230:3363
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@2
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
Proof of Payment.exe
-
Size
6KB
-
MD5
043487225e3f9b3e4c203e74d9ea5262
-
SHA1
9eabb7c17cf1bd6ae8d18612d14447c2bed4b77f
-
SHA256
376510f81da04b06b0ea217c5cf45b7798459f50a7162dc09737faaefd8a4232
-
SHA512
0cf417017856c16a605f2ec69d1bec846b08442b3bd6f9bce7b63246908953d8b44545a69c9beef8d11d40211cac0934a49946ea263c61d375b0c6725da6c862
-
SSDEEP
96:2Sv26u0DjhVa6nScDjDtLr0G86kxNlTzNt:/26nbScvOJHxv1
Score10/10-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-