General
-
Target
c1308f9b3f4f1ed995bf66c27535300b_JaffaCakes118
-
Size
1.1MB
-
Sample
240825-vl8bnswgjl
-
MD5
c1308f9b3f4f1ed995bf66c27535300b
-
SHA1
ea36cdb4a6d7e96f24b5ca22a052a98828b48d4e
-
SHA256
d1845a4f1f343d39c5c9e1ea2d9563cb2cddb09a7182aa9756f7f05b4b1e65fe
-
SHA512
1e344313129f367178614528a87a6e8891d061dd6defe01300d535a9247c370c046012deddd3be48cc30046eddac34d9f673aa9020403c5db935ac27f762e90f
-
SSDEEP
24576:RAHnh+eWsN3skA4RV1Hom2KXMmHaJx0Fi/GODw7hgf5:oh+ZkldoPK8YaJYi7
Malware Config
Extracted
netwire
172.94.17.9:2889
172.94.17.9:5631
salesxpert36.duckdns.org:5454
salesxpert36.duckdns.org:2889
salesxpert36.duckdns.org:7974
ugwueke.duckdns.org:7974
ugwueke.duckdns.org:2889
ugwueke.duckdns.org:5454
ugwueke.duckdns.org:5631
-
activex_autorun
false
-
copy_executable
true
-
delete_original
true
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
c1308f9b3f4f1ed995bf66c27535300b_JaffaCakes118
-
Size
1.1MB
-
MD5
c1308f9b3f4f1ed995bf66c27535300b
-
SHA1
ea36cdb4a6d7e96f24b5ca22a052a98828b48d4e
-
SHA256
d1845a4f1f343d39c5c9e1ea2d9563cb2cddb09a7182aa9756f7f05b4b1e65fe
-
SHA512
1e344313129f367178614528a87a6e8891d061dd6defe01300d535a9247c370c046012deddd3be48cc30046eddac34d9f673aa9020403c5db935ac27f762e90f
-
SSDEEP
24576:RAHnh+eWsN3skA4RV1Hom2KXMmHaJx0Fi/GODw7hgf5:oh+ZkldoPK8YaJYi7
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE
-
Loads dropped DLL
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-