General
-
Target
032cbaf9bec518e82a75b47883340818_JaffaCakes118
-
Size
317KB
-
Sample
240427-nvmb8sad4v
-
MD5
032cbaf9bec518e82a75b47883340818
-
SHA1
a64283ad299d8dbe0195171107cea027b63a79ea
-
SHA256
0afbd1fa6daec9677c451b6b2ad79cd3a5d94efcbb2a902b4f07ff17b46edc14
-
SHA512
dbcc94dc23b09297e34347047d388b0a3bd97b0a3d0b179e70a93151c6dbc2b9f3fab1096163605eb3ce4570e7d496286899349714b066db8cb4a6a75cb23143
-
SSDEEP
6144:ayA+D7v3JMleAOZXdDucfkW57KFx+XwwPo++UBj7/wXS8:ayAEb3JXAOucOFxDO1jq
Malware Config
Extracted
netwire
99.38.102.122:3363
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
Jack
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
14438136789D
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
032cbaf9bec518e82a75b47883340818_JaffaCakes118
-
Size
317KB
-
MD5
032cbaf9bec518e82a75b47883340818
-
SHA1
a64283ad299d8dbe0195171107cea027b63a79ea
-
SHA256
0afbd1fa6daec9677c451b6b2ad79cd3a5d94efcbb2a902b4f07ff17b46edc14
-
SHA512
dbcc94dc23b09297e34347047d388b0a3bd97b0a3d0b179e70a93151c6dbc2b9f3fab1096163605eb3ce4570e7d496286899349714b066db8cb4a6a75cb23143
-
SSDEEP
6144:ayA+D7v3JMleAOZXdDucfkW57KFx+XwwPo++UBj7/wXS8:ayAEb3JXAOucOFxDO1jq
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-