General
-
Target
8BF0C3505263C0D5101750057D26A58377B6AF83DB9FA.exe
-
Size
610KB
-
Sample
220926-leq95sace7
-
MD5
8562b4db21d7ab120b4164026146663b
-
SHA1
825f06b14b5150c0b76398b01969bf13c27d09c9
-
SHA256
8bf0c3505263c0d5101750057d26a58377b6af83db9fad3ec45bd412c2121d7a
-
SHA512
bba264bed3f3927f15263bcb5a930aa08992b01c2ed92b2b4592e8ad55babd2fbd8e0b19df7953bb53b0554256705b0f64df89d1adf0aa7d4dbaff84b397fe5c
-
SSDEEP
12288:vBJ1YFRuFKa00Cl3MY5ygMiQOjgONQkS49tN0i/vO80Wynic9:vVER/0Cl3MYRnNQM9tN0kv8jl
Static task
static1
Behavioral task
behavioral1
Sample
8BF0C3505263C0D5101750057D26A58377B6AF83DB9FA.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8BF0C3505263C0D5101750057D26A58377B6AF83DB9FA.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
modiloader
https://cdn.discordapp.com/attachments/720370823554138118/753853112418041956/Wxhkvco
Extracted
netwire
fuckfuck0.ddns.net:3871
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-SmI2Ki
-
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
8BF0C3505263C0D5101750057D26A58377B6AF83DB9FA.exe
-
Size
610KB
-
MD5
8562b4db21d7ab120b4164026146663b
-
SHA1
825f06b14b5150c0b76398b01969bf13c27d09c9
-
SHA256
8bf0c3505263c0d5101750057d26a58377b6af83db9fad3ec45bd412c2121d7a
-
SHA512
bba264bed3f3927f15263bcb5a930aa08992b01c2ed92b2b4592e8ad55babd2fbd8e0b19df7953bb53b0554256705b0f64df89d1adf0aa7d4dbaff84b397fe5c
-
SSDEEP
12288:vBJ1YFRuFKa00Cl3MY5ygMiQOjgONQkS49tN0i/vO80Wynic9:vVER/0Cl3MYRnNQM9tN0kv8jl
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
NetWire RAT payload
-
ModiLoader First Stage
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-