General
-
Target
b6d72d692aef7927b386cf2b650bd5e9_JaffaCakes118
-
Size
782KB
-
Sample
240617-ffvq3aygpq
-
MD5
b6d72d692aef7927b386cf2b650bd5e9
-
SHA1
ea7ee7562cf6715ee24961058e9b6249fe420e49
-
SHA256
b8bfd0479a8001a07f602785db31dabaeeeefbbe0cb50316f778ca22daeabe3b
-
SHA512
3fd8f2de33258de18e8910557d25b63791eb4fb0a6557f16fd8102ecd9d7d400f4e55012a014733aef8aa353b5bc29a0446d072a3cbea71604d71d28dc9767d4
-
SSDEEP
24576:f2O/GlATW0T5FmvLk1NeqgPwmxhKbH3rUO46GAXH:3i0ForPwmxUT3iYX
Malware Config
Extracted
netwire
185.244.30.120:4066
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Nov12345
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
b6d72d692aef7927b386cf2b650bd5e9_JaffaCakes118
-
Size
782KB
-
MD5
b6d72d692aef7927b386cf2b650bd5e9
-
SHA1
ea7ee7562cf6715ee24961058e9b6249fe420e49
-
SHA256
b8bfd0479a8001a07f602785db31dabaeeeefbbe0cb50316f778ca22daeabe3b
-
SHA512
3fd8f2de33258de18e8910557d25b63791eb4fb0a6557f16fd8102ecd9d7d400f4e55012a014733aef8aa353b5bc29a0446d072a3cbea71604d71d28dc9767d4
-
SSDEEP
24576:f2O/GlATW0T5FmvLk1NeqgPwmxhKbH3rUO46GAXH:3i0ForPwmxUT3iYX
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-