General
-
Target
7beb088d242e66f5cce11a084bff8c97_JaffaCakes118
-
Size
4.8MB
-
Sample
241029-f3dq3atndp
-
MD5
7beb088d242e66f5cce11a084bff8c97
-
SHA1
fb1196b51f191f3c92e3d54dd649faac0451f395
-
SHA256
886b49c0050de4f05f48028ebfd87d2b552ee61141dda7bd836b3f3129249a00
-
SHA512
3e2a56254a3f3eb9aed67bd3a06b0d4023b6de45f503cf07de5c7417a59f6bd5ef1d821728cfb0a5fa31b15267cd65803db42252bb6199170c0305d58da98dd5
-
SSDEEP
3072:w30F9m8D+EVl+xF945o3xUvS36894wkpmf3cLsGrFKdAtaIuuaBktbVJgNZBu:w389R+Er+Fu5WUvg6rpmUXQRuaBhNZ
Malware Config
Extracted
netwire
94.177.123.116:3368
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
win10ram
-
keylogger_dir
%AppData%\axe\
-
lock_executable
false
-
mutex
mxjvAOdg
-
offline_keylogger
true
-
password
Invalid123!
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
7beb088d242e66f5cce11a084bff8c97_JaffaCakes118
-
Size
4.8MB
-
MD5
7beb088d242e66f5cce11a084bff8c97
-
SHA1
fb1196b51f191f3c92e3d54dd649faac0451f395
-
SHA256
886b49c0050de4f05f48028ebfd87d2b552ee61141dda7bd836b3f3129249a00
-
SHA512
3e2a56254a3f3eb9aed67bd3a06b0d4023b6de45f503cf07de5c7417a59f6bd5ef1d821728cfb0a5fa31b15267cd65803db42252bb6199170c0305d58da98dd5
-
SSDEEP
3072:w30F9m8D+EVl+xF945o3xUvS36894wkpmf3cLsGrFKdAtaIuuaBktbVJgNZBu:w389R+Er+Fu5WUvg6rpmUXQRuaBhNZ
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Netwire family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-