General
-
Target
remittance for the month of Dec.xls
-
Size
238KB
-
Sample
201222-mpqkg3m6e2
-
MD5
2630facfc34c2f673ed8df90e6605c56
-
SHA1
2c462db9f695db91d9c61d961f8a7ddb48d62b57
-
SHA256
49638c7502de579d5d7afa8081710d51193fb91b96055283a3af8b28b4e0721e
-
SHA512
7d1f5c107341321005b9a9dc3b2b166fc8af34f9202bb865172a03e328391741eb827104c4418ba2fd093286090ff2d82518a5bf083b7b59e3701b297890f8a9
Static task
static1
Behavioral task
behavioral1
Sample
remittance for the month of Dec.xls
Resource
win7v20201028
Behavioral task
behavioral2
Sample
remittance for the month of Dec.xls
Resource
win10v20201028
Malware Config
Extracted
http://45.15.143.142/fa.exe
Targets
-
-
Target
remittance for the month of Dec.xls
-
Size
238KB
-
MD5
2630facfc34c2f673ed8df90e6605c56
-
SHA1
2c462db9f695db91d9c61d961f8a7ddb48d62b57
-
SHA256
49638c7502de579d5d7afa8081710d51193fb91b96055283a3af8b28b4e0721e
-
SHA512
7d1f5c107341321005b9a9dc3b2b166fc8af34f9202bb865172a03e328391741eb827104c4418ba2fd093286090ff2d82518a5bf083b7b59e3701b297890f8a9
Score10/10-
NetWire RAT payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-