General
-
Target
126a93893a231d0d04d51c062ffacb24_JaffaCakes118
-
Size
620KB
-
Sample
240626-sj2d8szdna
-
MD5
126a93893a231d0d04d51c062ffacb24
-
SHA1
2dc7626161923496e1161321564649de8a505462
-
SHA256
8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20
-
SHA512
7ead5d82543478d48820429fa78a6b47c4b96f9a081d6599bc7f47208acc73dee20b97345f971b7298642fb4104d90eb8a660cbdc8f592449410cba459d46715
-
SSDEEP
6144:jIgLd7M38csN+OepKstohqNuPSzjRfXfqSicv2oJ04YIEr7rwdaJ:JNMJzpWhYvRfXiSicbJ0d7rco
Malware Config
Extracted
netwire
Wealthybond.ddns.me:39560
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
uElWAoFe
-
offline_keylogger
true
-
password
sucess
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
126a93893a231d0d04d51c062ffacb24_JaffaCakes118
-
Size
620KB
-
MD5
126a93893a231d0d04d51c062ffacb24
-
SHA1
2dc7626161923496e1161321564649de8a505462
-
SHA256
8119fc6da4305f331fc904adfca9e221d26bd607a53e35dbeede7e379b051f20
-
SHA512
7ead5d82543478d48820429fa78a6b47c4b96f9a081d6599bc7f47208acc73dee20b97345f971b7298642fb4104d90eb8a660cbdc8f592449410cba459d46715
-
SSDEEP
6144:jIgLd7M38csN+OepKstohqNuPSzjRfXfqSicv2oJ04YIEr7rwdaJ:JNMJzpWhYvRfXiSicbJ0d7rco
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-