Overview

overview

10

Static

static

8

Potwierdze...ji.xls

windows7_x64

10

Potwierdze...ji.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Potwierdzenie_transakcji.xls

  • Size

    858KB

  • Sample

    200714-92x3wket86

  • MD5

    473a9bfb649e3a6bf4341d35b839005a

  • SHA1

    f872b68d9d4ba900481c45662b9c8fe3f9006ec6

  • SHA256

    960682168b2d6bc4518726721741593c127da6787aa2ca768bc31734b5c72579

  • SHA512

    057bb39550bd809aa1235cdbbd457d7bf304088f9442bddf5e2610f498986b880872eac247f5810e7feec32b38b40193309a1b6fce43e2a59ae8a945cffc64dc

Score
10/10
netwirebotnetmacroratstealer

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://office-service-softs.info/tech.jpg

Targets

    • Target

      Potwierdzenie_transakcji.xls

    • Size

      858KB

    • MD5

      473a9bfb649e3a6bf4341d35b839005a

    • SHA1

      f872b68d9d4ba900481c45662b9c8fe3f9006ec6

    • SHA256

      960682168b2d6bc4518726721741593c127da6787aa2ca768bc31734b5c72579

    • SHA512

      057bb39550bd809aa1235cdbbd457d7bf304088f9442bddf5e2610f498986b880872eac247f5810e7feec32b38b40193309a1b6fce43e2a59ae8a945cffc64dc

    Score
    10/10
    ratbotnetstealernetwire

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blacklisted process makes network request

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks