General
-
Target
Proforma Invoice.xls
-
Size
74KB
-
Sample
201119-ntzbxnaqla
-
MD5
55db711144ff4a35faf58d982e7cf727
-
SHA1
ea7b59dde9f0600915069dec66f8410f25cb66fd
-
SHA256
6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17
-
SHA512
92e99e23ef71f4b1b9e3f6733ca16d51a2e44a777581c6a4a9b35b4c3574620cbff37ba02052bd7932f75acd2b70a2750f4c53c0d87db75e8a10c4aa1cf4192a
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Proforma Invoice.xls
Resource
win10v20201028
Malware Config
Extracted
https://cutt.ly/ZhqUH1O
Targets
-
-
Target
Proforma Invoice.xls
-
Size
74KB
-
MD5
55db711144ff4a35faf58d982e7cf727
-
SHA1
ea7b59dde9f0600915069dec66f8410f25cb66fd
-
SHA256
6e76bd502c91158631cadf485ce44caa4d6504864735593fc23d90477a794d17
-
SHA512
92e99e23ef71f4b1b9e3f6733ca16d51a2e44a777581c6a4a9b35b4c3574620cbff37ba02052bd7932f75acd2b70a2750f4c53c0d87db75e8a10c4aa1cf4192a
Score10/10-
NetWire RAT payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-