General
-
Target
e7807a6f617d1ca0361bf56bb52e933f_JaffaCakes118
-
Size
782KB
-
Sample
240917-xn68hazarr
-
MD5
e7807a6f617d1ca0361bf56bb52e933f
-
SHA1
e9dc71093dec90641163d0e8ac66dff5af967762
-
SHA256
c887d0238812727f7d33741af67d9dc085733aa88bc532e1379a749b5b17d1c9
-
SHA512
66af8ec00d58852c65e9eb321eea55ad520ea05071c69c5639117f44426d788796238be447663f52e6947f2b9e43f51d57fe9463209e482af6fb920c023dd450
-
SSDEEP
24576:f2O/GlATW0Tcz/5WYny7ibzwmxhKbH3rUO46GIN92:3i0IlWYeGwmxUT3i02
Malware Config
Extracted
netwire
185.244.30.120:4066
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Nov12345
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
e7807a6f617d1ca0361bf56bb52e933f_JaffaCakes118
-
Size
782KB
-
MD5
e7807a6f617d1ca0361bf56bb52e933f
-
SHA1
e9dc71093dec90641163d0e8ac66dff5af967762
-
SHA256
c887d0238812727f7d33741af67d9dc085733aa88bc532e1379a749b5b17d1c9
-
SHA512
66af8ec00d58852c65e9eb321eea55ad520ea05071c69c5639117f44426d788796238be447663f52e6947f2b9e43f51d57fe9463209e482af6fb920c023dd450
-
SSDEEP
24576:f2O/GlATW0Tcz/5WYny7ibzwmxhKbH3rUO46GIN92:3i0IlWYeGwmxUT3i02
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-