General
-
Target
34885e384ba164409fd2e150c62b527f_JaffaCakes118
-
Size
831KB
-
Sample
240710-nlp2rsvfmn
-
MD5
34885e384ba164409fd2e150c62b527f
-
SHA1
4314a9de717cb5d480182ffd0ba0cc94d84d2d06
-
SHA256
120cdfbcb025ada491a35f0aebfa143730d8755cd67b8b4a7a701da592f822c7
-
SHA512
6d1aa6f567324dc625d36603156a7d6401026d34ba8798fe0c8c69584741f6337bdcc28730387eaeedd9b6d7f2f7cacc47fa7ef8e6e235c762f80be55ff2488e
-
SSDEEP
24576:f2O/GlG2MGLklsZAy5guQGnJwmxhKbH3rUO46Grh:3CklsZXiCJwmxUT3izh
Malware Config
Extracted
netwire
194.5.98.182:3080
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Temp12345
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
34885e384ba164409fd2e150c62b527f_JaffaCakes118
-
Size
831KB
-
MD5
34885e384ba164409fd2e150c62b527f
-
SHA1
4314a9de717cb5d480182ffd0ba0cc94d84d2d06
-
SHA256
120cdfbcb025ada491a35f0aebfa143730d8755cd67b8b4a7a701da592f822c7
-
SHA512
6d1aa6f567324dc625d36603156a7d6401026d34ba8798fe0c8c69584741f6337bdcc28730387eaeedd9b6d7f2f7cacc47fa7ef8e6e235c762f80be55ff2488e
-
SSDEEP
24576:f2O/GlG2MGLklsZAy5guQGnJwmxhKbH3rUO46Grh:3CklsZXiCJwmxUT3izh
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-