General
-
Target
Proof of Payment.exe
-
Size
674KB
-
Sample
230209-jzeezabd74
-
MD5
8359e25b8dd8545649e05ab3886329a0
-
SHA1
2a2ce1a9ac8b3670838f0c1880a768d4f862cbab
-
SHA256
9d2977e8e247515a58c1a05c3111a05ed3832c9f01e5df39c1ff5717531f421d
-
SHA512
d0bc508adb175738ad65a9a6cea08071ccc7837a6befea48275d0e2ba65785c2444ea2c26e98570f82b35a555156136da2409bfcdc7c954347ebb078cc9c29fd
-
SSDEEP
12288:v/o8ZROaaCOUQPM0kMDMhOvsWRUj9XK2KHmFZcn5Efr5QQlQX:v1Oa3Ot+MDMhnWRUjBdW5YiQlQX
Static task
static1
Behavioral task
behavioral1
Sample
Proof of Payment.exe
Resource
win7-20221111-en
Malware Config
Extracted
netwire
194.5.98.101:3362
194.5.98.101:3365
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Levels2023
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
Proof of Payment.exe
-
Size
674KB
-
MD5
8359e25b8dd8545649e05ab3886329a0
-
SHA1
2a2ce1a9ac8b3670838f0c1880a768d4f862cbab
-
SHA256
9d2977e8e247515a58c1a05c3111a05ed3832c9f01e5df39c1ff5717531f421d
-
SHA512
d0bc508adb175738ad65a9a6cea08071ccc7837a6befea48275d0e2ba65785c2444ea2c26e98570f82b35a555156136da2409bfcdc7c954347ebb078cc9c29fd
-
SSDEEP
12288:v/o8ZROaaCOUQPM0kMDMhOvsWRUj9XK2KHmFZcn5Efr5QQlQX:v1Oa3Ot+MDMhnWRUjBdW5YiQlQX
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-