General
-
Target
79dc1b8c0216ce79dbe0988cfb968671.exe
-
Size
769KB
-
Sample
221030-de16cahfb5
-
MD5
79dc1b8c0216ce79dbe0988cfb968671
-
SHA1
58a1e4297a9a9db1bb8e1f3874d139b18e633f96
-
SHA256
8ea72282f7dfbac5825559640cded147ed27ed8f67063dd3ecddc539d6072a69
-
SHA512
4f745a825bf8614ba94432e999b6f2679b6e020e1ffa93ff802b03b76224a606a95e9be34cc4665fc8799efe99cb4b3893ed6fe8f94b8572b693b9c5ea40991c
-
SSDEEP
12288:hCUL5e5qQvVHmVo+R0OXL4r70eYt8JyynITtsUXNvxwUxLfHazzJrN:s45INvVGVoU0OXLPxMyyIuqPB
Malware Config
Extracted
netwire
emberluck.duckdns.org:3360
ogcmaw.duckdns.org:3360
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
ember wins
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
79dc1b8c0216ce79dbe0988cfb968671.exe
-
Size
769KB
-
MD5
79dc1b8c0216ce79dbe0988cfb968671
-
SHA1
58a1e4297a9a9db1bb8e1f3874d139b18e633f96
-
SHA256
8ea72282f7dfbac5825559640cded147ed27ed8f67063dd3ecddc539d6072a69
-
SHA512
4f745a825bf8614ba94432e999b6f2679b6e020e1ffa93ff802b03b76224a606a95e9be34cc4665fc8799efe99cb4b3893ed6fe8f94b8572b693b9c5ea40991c
-
SSDEEP
12288:hCUL5e5qQvVHmVo+R0OXL4r70eYt8JyynITtsUXNvxwUxLfHazzJrN:s45INvVGVoU0OXLPxMyyIuqPB
Score10/10-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
ModiLoader Second Stage
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-