Overview

overview

10

Static

static

8

ATO-RELIEF.xlsm

windows7_x64

10

ATO-RELIEF.xlsm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ATO-RELIEF.xlsm

  • Size

    15KB

  • Sample

    210305-mdvt7ylvg6

  • MD5

    8deb8023b4cabeaf6cb46a4e4b1ebc25

  • SHA1

    09ac5fdc3cad359f1e35f98b15d481ccfe01af30

  • SHA256

    adb2126ab8201d688d9569a05f08fd1738bf80302d46ef2aa83eb2fc7eb94203

  • SHA512

    3cc1240c2a206d7572bac182117d742dee94af585c5384aebbc4621abf32e7e6db2e6e39f4cff2d262d511cf847b06be57a4a6eab6f5e84321f9cc538e630488

Score
10/10
netwirebotnetmacroratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://adelantosi.com/cp/TAX-RELIEF.exe

Targets

    • Target

      ATO-RELIEF.xlsm

    • Size

      15KB

    • MD5

      8deb8023b4cabeaf6cb46a4e4b1ebc25

    • SHA1

      09ac5fdc3cad359f1e35f98b15d481ccfe01af30

    • SHA256

      adb2126ab8201d688d9569a05f08fd1738bf80302d46ef2aa83eb2fc7eb94203

    • SHA512

      3cc1240c2a206d7572bac182117d742dee94af585c5384aebbc4621abf32e7e6db2e6e39f4cff2d262d511cf847b06be57a4a6eab6f5e84321f9cc538e630488

    Score
    10/10
    netwirebotnetratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks