General
-
Target
72a4dd4d9b65aeefd23116793b1e04b2_JaffaCakes118
-
Size
1.2MB
-
Sample
240525-vh2pqabb81
-
MD5
72a4dd4d9b65aeefd23116793b1e04b2
-
SHA1
bbf05e5d0a3bdbb909266fd4b74764a578e7dfc0
-
SHA256
e5e08a97973474e281d2f869760812bf31e80554a7bfaa28a35547e7b484fef6
-
SHA512
f0cee93b72db2ecda12912116913cfafe12f9d8e5b4ca74defb128249111e6904494ae5c32a24235ea284cac0e957feba895580391de0fcb33be5b0b45069cdc
-
SSDEEP
24576:xLLYxIyvSxt9uatW2t7zmqrVS3rzPKfmty+CTycckVDirHzQY/hmvGi:xLYzQbZmOV8zK+CG3eEzQY/hmvGi
Malware Config
Extracted
netwire
extensions14718.sytes.net:3324
extensions14718sec.sytes.net:3324
zicopele2018.sytes.net:3584
zicopele2018backup.sytes.net:3584
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
YbcwLUQv
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
true
Extracted
pony
http://tekinkgroup.com/rector/gate.php
-
payload_url
http://tekinkgroup.com/rector/shit.exe
Targets
-
-
Target
24.exe
-
Size
231KB
-
MD5
260b768a03390af34cf4d91ced33fb0e
-
SHA1
19022cee29e978d9e56af5931421c115c522ee31
-
SHA256
d4103e933d33c9257967b632f9c4cedc5f57e15abd2c0357ce7e9966881cc97d
-
SHA512
05fd9b1eba3f4217b49b4b7eed58634eb7cf944dfa367a0e868c15862a3399e6e874754ab9ffda785a47a7b850d6e24bc777ba55fe47c1405cd28534869841c3
-
SSDEEP
3072:2xfqOcLw3jpU6+NAs9ejLSxKy2jSb/DCKvNSs7ZAHS6vYAdz7QgRrYEaFxuAc2:wqOPzpU6+NCLSK8GBcZAHStYXRrYHc2
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Drops startup file
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
4.exe
-
Size
233KB
-
MD5
8acb1a113d20530f501fc371622ff0db
-
SHA1
3e3996eac73c8c5b100e578bf8794f61fb47d255
-
SHA256
08a1633161123a511f98004bda97d5ada42bf34a58e2e598fb321c1fe7a1d1a8
-
SHA512
4ad5c92a299457c8674b76ecf5cd8388fd0b658ef9441c8952d63ac63e8f7404551dc590dedf0c3896f5accbdd60fc365605acab424c42f48be65d1d080877ee
-
SSDEEP
6144:jxQxWRPYIA/fSU9Ja2da7MgpveTvmdhzh3+BPBZbzUE:jxQxWRPYIIfSUVaMmveTHBRR
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Drops startup file
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
7.exe
-
Size
216KB
-
MD5
2a02f52b64bb0b2ffce4fb81b4517c7c
-
SHA1
b3a46bb392a8b40c12ac046dfdc3572132155aab
-
SHA256
c5b7e21f19493fed30675f86df39c69fbc3a8a4617d1d85ac3dda90d97d14d6c
-
SHA512
4814e9064e9ed6c4cdc6e514e7a7e73c227fe598904d654cadb98ef1acee51ba987d937547f80e0aeb1972cda86ae3f22addfaf83490a906ec1927f3980be786
-
SSDEEP
6144:59nNMa2B9x4UmQrrYfZUgWKZtFivagH8mlE:DNMaA9x4hdWqtAVHv
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Drops startup file
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
Order.exe
-
Size
222KB
-
MD5
28ddb3f1013592bb1b4413ee39009a57
-
SHA1
17f9ae6d47506306352f9670c8dfed99322a3337
-
SHA256
c552c6df4bc0a5aff777c0d4c3b3aec0f2c042d68c17ecd316bfd58b04477698
-
SHA512
e96ab074f89cdd9e5ed94f279884eb4fbf44a1f9ca6da0e1507e0029df45c2f3c5b5ea9be62dc758f783d3ed26f0a98e15a67b5e2592cc872731739b0da05424
-
SSDEEP
6144:kdufqYEGgI+/bHmLpmTvnwM2mksSFwKQ:hqYEGgI+ymvwM29F
Score10/10-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
load2.exe
-
Size
97KB
-
MD5
af85c6152e9e4882333a27c4b6c76bf8
-
SHA1
e83fc5346e51bf7404101f704dcad8f00ed4e3e2
-
SHA256
36c019c0a66b919aee1e096129b447e0113a1978e7c01333eb6ac02a89adc7e1
-
SHA512
52b69c94c9663b9db2b3e7753a23c10a63d010d91813ae0217acfdb7ffc1b52886da64d16b2caa4c198c1e8161626353664931e1b16d713df50392c1c8af5af5
-
SSDEEP
1536:KLz6RibFmySB2T6ktH/mjh6XVFC8HVqXNpgItaYkza3+KD3960pZV5TmytRSzQ:KLmqF08Oktf5FFfVqXNCZNKD38YkCQzQ
Score1/10 -
-
-
Target
spart.exe
-
Size
268KB
-
MD5
6faadd4018893fb1402df8f2693a4fb1
-
SHA1
e223d93bc1cc7f41b72f2c1ca9cadf0e4c3abd26
-
SHA256
b3aba8475a844540f9acb081574b2c83f1cb954cb09f3e8b03660881e501ec53
-
SHA512
9498a96f452d4c176218961559bc27aa1f1ce42b953211d19805618c74ceb6da8571f587c018e6971d077f9e0fe17a1695f080c7da866542e825f521c6eeef74
-
SSDEEP
3072:jWNVz+FX2UXCQh1pGE8IiGS3AegXNzS5f88LmdwrmKcw3MpODAmuAbeuozIrO1qP:66FX2wF8IidKXNKidw6KlUAiuokrGqP
Score7/10-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
swift.exe
-
Size
227KB
-
MD5
21c0027924a5a4a70cd1e61220716224
-
SHA1
5546ef57a890ca54ee59f52a39d86ea3f24ffe0e
-
SHA256
cd309ad77ef0180c2c59bab487e90dc967fd0781ec10a4f5196a0fda75cac36d
-
SHA512
2571b525c8a9ac2abbe09fee720cbc1a4deb9aff288f75f9729475ae3497bcc4853e680015d7ea32d5f09b66425973fa564c0e51b7d10eeff91e369d3ed1ddf0
-
SSDEEP
6144:JpTfdT/KELr+ILii5Ea8NplE8AOcWRaIF2nYMg:JpTfp/KE3+ILkTplNUWkxYT
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Drops startup file
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-