General

  • Target

    First Order 1050522.exe

  • Size

    23KB

  • Sample

    220505-vf8p9agdc5

  • MD5

    0a5658ae9bc75b17d7d591f8411c2b89

  • SHA1

    97a8540c7b213ab33231735e73a01f0903e51182

  • SHA256

    791b2bf682699cf97e3925dee40ddd5c2cb728e80f798225a7fb0b713c1b1544

  • SHA512

    bdcdda71261c750be6c59bfc7daeb113a7d0550fb189941e234189b49b5d4058cee359813ace409045db3cf3c4bef24842fb2a15d0d211ffee939713730cc3d0

Malware Config

Targets

    • Target

      First Order 1050522.exe

    • Size

      23KB

    • MD5

      0a5658ae9bc75b17d7d591f8411c2b89

    • SHA1

      97a8540c7b213ab33231735e73a01f0903e51182

    • SHA256

      791b2bf682699cf97e3925dee40ddd5c2cb728e80f798225a7fb0b713c1b1544

    • SHA512

      bdcdda71261c750be6c59bfc7daeb113a7d0550fb189941e234189b49b5d4058cee359813ace409045db3cf3c4bef24842fb2a15d0d211ffee939713730cc3d0

    • Modifies WinLogon for persistence

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks