General
-
Target
PO20221110-PDF.js
-
Size
511KB
-
Sample
221012-qlpgcadfbr
-
MD5
abb2c006b96920466b3ccf956f734e3b
-
SHA1
23ba08441fb0f5bad93a2d258fe72bfb429b1250
-
SHA256
94f02513d9ba859ff486e5e7514c2ca656d2fc5979576da44d68726d9d03de2d
-
SHA512
4ebbee2d4d067ab93a05ae12afba09e744a003428169916d93cb47774e66c1eb99f1b9e7627580e844a4c99dc5b22dfefa88c8acc22fa6329f92060ce5a6751c
-
SSDEEP
12288:X4asKyOMBGvENnL8m4wNTUewr4ZOFQLlvaVHDT73tNBcQmXOFjL3veFL:N56MEZ74BwQJjL3vY
Malware Config
Extracted
netwire
jspowerone.cloudns.nz:8078
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
DN
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
TestLink.lnk
-
lock_executable
false
-
mutex
wLPvLQMO
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
PO20221110-PDF.js
-
Size
511KB
-
MD5
abb2c006b96920466b3ccf956f734e3b
-
SHA1
23ba08441fb0f5bad93a2d258fe72bfb429b1250
-
SHA256
94f02513d9ba859ff486e5e7514c2ca656d2fc5979576da44d68726d9d03de2d
-
SHA512
4ebbee2d4d067ab93a05ae12afba09e744a003428169916d93cb47774e66c1eb99f1b9e7627580e844a4c99dc5b22dfefa88c8acc22fa6329f92060ce5a6751c
-
SSDEEP
12288:X4asKyOMBGvENnL8m4wNTUewr4ZOFQLlvaVHDT73tNBcQmXOFjL3veFL:N56MEZ74BwQJjL3vY
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-