General
-
Target
r.exe
-
Size
160KB
-
Sample
230401-fpg7bsga83
-
MD5
fb8441287cef7a3c0a67a24830a648f3
-
SHA1
6fef02a3793b481a2603da3d5051698ea752f4ab
-
SHA256
10a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
-
SHA512
660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
-
SSDEEP
3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLv1YMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/1zQqqDvFf
Behavioral task
behavioral1
Sample
r.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
r.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
netwire
wire.universitynetservice1979.info:8888
167.179.102.70:8888
62.234.24.30:8888
-
activex_autorun
false
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\svchost.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
olflQfiP
-
offline_keylogger
true
-
password
win
-
registry_autorun
true
-
startup_name
netloading
-
use_mutex
true
Targets
-
-
Target
r.exe
-
Size
160KB
-
MD5
fb8441287cef7a3c0a67a24830a648f3
-
SHA1
6fef02a3793b481a2603da3d5051698ea752f4ab
-
SHA256
10a9942365cfd73d8c11b5b8e46763a53c642e5ddd9577a21c2388e7bc99d910
-
SHA512
660a630c200f34808deba9484d416a8292176f18516a33d9af7c0ec3e5764f41c9a77d8fbf42dd123b8cdbe71e7537a2f63ccc675b2271c85b7a4164c0b4ad0e
-
SSDEEP
3072:jOzPcXa+ND32eioGHlz8rnAE0HCXh0edLv1YMjMqqDvFf:jOTcK+NrRioGHlz8rz0i/1zQqqDvFf
Score10/10-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-