Overview

overview

10

Static

static

Import and...n.xlsx

windows7_x64

10

Import and...n.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Import and Export Regulation.xlsx

  • Size

    2.3MB

  • Sample

    201213-ar5ymtqjl2

  • MD5

    b42c2fed481f5ec6f99f678d1f6f036f

  • SHA1

    c91e029f1e0304e0b1439085fae57609d7e1962d

  • SHA256

    c0b84d4a7affdc167863953ad494d02550d020a6efb083a1375d86a1b3b76edc

  • SHA512

    cded7c450a0a6ac0fdad1b88306451ec29fd3319f4c1fa9d48d7274c20a49eb8bf793451bfdf75451882b83c3c54705cbe74563e0182ceee7a42576421322464

Score
10/10
netwirebotnetevasionpersistenceratstealer

Malware Config

Targets

    • Target

      Import and Export Regulation.xlsx

    • Size

      2.3MB

    • MD5

      b42c2fed481f5ec6f99f678d1f6f036f

    • SHA1

      c91e029f1e0304e0b1439085fae57609d7e1962d

    • SHA256

      c0b84d4a7affdc167863953ad494d02550d020a6efb083a1375d86a1b3b76edc

    • SHA512

      cded7c450a0a6ac0fdad1b88306451ec29fd3319f4c1fa9d48d7274c20a49eb8bf793451bfdf75451882b83c3c54705cbe74563e0182ceee7a42576421322464

    Score
    10/10
    netwirebotnetevasionpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Modifies Installed Components in the registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks