General
-
Target
Order.exe
-
Size
853KB
-
Sample
210721-g79tgkk45a
-
MD5
103362e59d9fd456e9ce47da23e14e4f
-
SHA1
5f557d79f1085f1e05da881204d341f2c82b20b9
-
SHA256
f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40
-
SHA512
b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7v20210410
Malware Config
Extracted
netwire
37.120.234.120:19792
-
activex_autorun
false
- activex_key
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
FvEKqKqS
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
true
Targets
-
-
Target
Order.exe
-
Size
853KB
-
MD5
103362e59d9fd456e9ce47da23e14e4f
-
SHA1
5f557d79f1085f1e05da881204d341f2c82b20b9
-
SHA256
f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40
-
SHA512
b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
NetWire RAT payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-