General
-
Target
4a345ff1d667f3fd5d76178149e97861_JaffaCakes118
-
Size
685KB
-
Sample
240516-kcmcqsca4w
-
MD5
4a345ff1d667f3fd5d76178149e97861
-
SHA1
1b0636c3d65c906bea35daccfe8b124faae02249
-
SHA256
593030d6a46702b5577e982f4c00c427766629211d85c88cbc4b5d17de639b7b
-
SHA512
d93f02548e2eb2cd0dc1a25a0a6e78f66b190b0dffa772f53ee1bd2c6725c41eaddb90a8e19bcfb1beff07b3b0c780904817f77f8802018440e7a132176f9fab
-
SSDEEP
12288:AVkUO8yIy581Qv8yIy581QfOjJ+AUdFG:aYn8m/n8m8Udw
Malware Config
Extracted
netwire
watsonly.ddns.net:1191
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\WiaLogs\
-
lock_executable
false
-
mutex
NCPblmjG
-
offline_keylogger
true
-
password
Password
-
registry_autorun
true
-
startup_name
Windows Defender
-
use_mutex
true
Targets
-
-
Target
4a345ff1d667f3fd5d76178149e97861_JaffaCakes118
-
Size
685KB
-
MD5
4a345ff1d667f3fd5d76178149e97861
-
SHA1
1b0636c3d65c906bea35daccfe8b124faae02249
-
SHA256
593030d6a46702b5577e982f4c00c427766629211d85c88cbc4b5d17de639b7b
-
SHA512
d93f02548e2eb2cd0dc1a25a0a6e78f66b190b0dffa772f53ee1bd2c6725c41eaddb90a8e19bcfb1beff07b3b0c780904817f77f8802018440e7a132176f9fab
-
SSDEEP
12288:AVkUO8yIy581Qv8yIy581QfOjJ+AUdFG:aYn8m/n8m8Udw
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-