General
-
Target
P_Order.scr
-
Size
950KB
-
Sample
210712-pp57va9hwx
-
MD5
b26006b1b87f94cae399ace4ed2881a5
-
SHA1
6326aa07419cec008653284ca9aabe158edb9ce7
-
SHA256
a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c
-
SHA512
ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685
Static task
static1
Behavioral task
behavioral1
Sample
P_Order.scr
Resource
win7v20210410
Malware Config
Extracted
netwire
harold.ns01.info:3606
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
Ojoko
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
enbSUNvD
-
offline_keylogger
true
-
password
master12
-
registry_autorun
false
- startup_name
-
use_mutex
true
Targets
-
-
Target
P_Order.scr
-
Size
950KB
-
MD5
b26006b1b87f94cae399ace4ed2881a5
-
SHA1
6326aa07419cec008653284ca9aabe158edb9ce7
-
SHA256
a163607a059886c8fb885f9054c9afa3103c25cca976ea7ac082e1baf02fcd7c
-
SHA512
ae92c14038ecb323b97e70e4474881fdb804262dee8f63c8e6c353560d4c8ca3ae69ca3d2dcdd3122171e2223f5e49a56d3621695fb9dd6762da733e47a8c685
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
NetWire RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-