General
-
Target
wbhmdn.exe
-
Size
753KB
-
Sample
230104-wvldyacd91
-
MD5
6d5e7540cc8cb9593f0b0d355b7275a4
-
SHA1
dffcef6fbf66c16558c8a7fef4d8bc49fcbe224e
-
SHA256
2688204813e40e64d5451b87d7028267200caba846773f6b115c3d1dbc675032
-
SHA512
732ae3cde7dd5cfe36f2252232f8d36c918f84481a5cce467fbc676c60cb83c4cf863d88e0de62c58b6ca7723095f2c77cf51f811078490323bac871a52288d6
-
SSDEEP
12288:NRF268BfCbyuSwcLzXr0cyRmRxW0FPAQMIY5GCIdXKh1uFNuv:fE7CbR9cvoRoxfasY9qQuHuv
Static task
static1
Behavioral task
behavioral1
Sample
wbhmdn.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
wbhmdn.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
netwire
pedrohjy.ddns.net:6655
pedrohjy1.ddns.net:6655
pedrohjy2.ddns.net:6655
pedrohjy3.ddns.net:6655
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
dec2022
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
1234
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
wbhmdn.exe
-
Size
753KB
-
MD5
6d5e7540cc8cb9593f0b0d355b7275a4
-
SHA1
dffcef6fbf66c16558c8a7fef4d8bc49fcbe224e
-
SHA256
2688204813e40e64d5451b87d7028267200caba846773f6b115c3d1dbc675032
-
SHA512
732ae3cde7dd5cfe36f2252232f8d36c918f84481a5cce467fbc676c60cb83c4cf863d88e0de62c58b6ca7723095f2c77cf51f811078490323bac871a52288d6
-
SSDEEP
12288:NRF268BfCbyuSwcLzXr0cyRmRxW0FPAQMIY5GCIdXKh1uFNuv:fE7CbR9cvoRoxfasY9qQuHuv
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
NetWire RAT payload
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-