General

  • Target

    NetWire.exe

  • Size

    1.2MB

  • Sample

    240205-g1clnacdb5

  • MD5

    7621f79a7f66c25ad6c636d5248abeb9

  • SHA1

    98304e41f82c3aee82213a286abdee9abf79bcce

  • SHA256

    086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

  • SHA512

    59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

  • SSDEEP

    24576:nBlDgE7EmXWAqSvg439vGSVNe1/hqIiHSvd7:n7DlC+GSjiBiyF

Malware Config

Extracted

Family

modiloader

C2

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Targets

    • Target

      NetWire.exe

    • Size

      1.2MB

    • MD5

      7621f79a7f66c25ad6c636d5248abeb9

    • SHA1

      98304e41f82c3aee82213a286abdee9abf79bcce

    • SHA256

      086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

    • SHA512

      59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

    • SSDEEP

      24576:nBlDgE7EmXWAqSvg439vGSVNe1/hqIiHSvd7:n7DlC+GSjiBiyF

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Mimikatz

      mimikatz is an open source tool to dump credentials on Windows.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • ModiLoader First Stage

    • mimikatz is an open source tool to dump credentials on Windows

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks