General
-
Target
0914657239a3497433c1777e60d761e1_JaffaCakes118
-
Size
390KB
-
Sample
240430-fpkmfsde61
-
MD5
0914657239a3497433c1777e60d761e1
-
SHA1
c7d6bca47753362f40e18d44935c75ecd990df2a
-
SHA256
3b1ae6021b84138920670f125a1f76cf2625fc1ea104e7228a59cce91d899b83
-
SHA512
e4bf46e5939f399143b41aa4d880bcddb5f0559703691ba968a87d4893d450b689dc8ba002279d238dfbbccbb6844cb982aa21ac60e37e454c0eb48740334efd
-
SSDEEP
12288:cdq4BnAn7gOsqs3sVYXjRpv2ZPbNpINABZ9JKrT0NJmB:q6vszcKFoVD0ezJQ
Malware Config
Extracted
netwire
pustios.ug:6971
testingskapss.ru:6971
papapamels.ru:6971
testingskapss.su:6971
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
mutex
JTbRfkgY
-
offline_keylogger
false
-
password
ppF7"oRyqm
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
0914657239a3497433c1777e60d761e1_JaffaCakes118
-
Size
390KB
-
MD5
0914657239a3497433c1777e60d761e1
-
SHA1
c7d6bca47753362f40e18d44935c75ecd990df2a
-
SHA256
3b1ae6021b84138920670f125a1f76cf2625fc1ea104e7228a59cce91d899b83
-
SHA512
e4bf46e5939f399143b41aa4d880bcddb5f0559703691ba968a87d4893d450b689dc8ba002279d238dfbbccbb6844cb982aa21ac60e37e454c0eb48740334efd
-
SSDEEP
12288:cdq4BnAn7gOsqs3sVYXjRpv2ZPbNpINABZ9JKrT0NJmB:q6vszcKFoVD0ezJQ
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-