General
-
Target
RECHNUNG-RP0188843894.exe
-
Size
1.2MB
-
Sample
220805-kg1e6ahcc8
-
MD5
e366f96c9b5c5528426a116eb49ef445
-
SHA1
8062220b613b56116d638b3d7f5dd043f3bc096e
-
SHA256
2a05a23d8879f9d001af335779b5102dd644b08d2f106353c28c8ce303ee9b58
-
SHA512
1dc21da10c45a5fbd5058e85d775cccec140a0fec067183013457d7ab87f9bfd758429a999df2b2bf0afd19d44b289418c6a8457689346521764a812a0430e9d
Static task
static1
Behavioral task
behavioral1
Sample
RECHNUNG-RP0188843894.exe
Resource
win7-20220718-en
Malware Config
Extracted
netwire
xman2.duckdns.org:4433
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
RECHNUNG-RP0188843894.exe
-
Size
1.2MB
-
MD5
e366f96c9b5c5528426a116eb49ef445
-
SHA1
8062220b613b56116d638b3d7f5dd043f3bc096e
-
SHA256
2a05a23d8879f9d001af335779b5102dd644b08d2f106353c28c8ce303ee9b58
-
SHA512
1dc21da10c45a5fbd5058e85d775cccec140a0fec067183013457d7ab87f9bfd758429a999df2b2bf0afd19d44b289418c6a8457689346521764a812a0430e9d
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-