ATO-RELIEF.xlsm

General
Target

ATO-RELIEF.xlsm

Size

15KB

Sample

210305-mdvt7ylvg6

Score
10 /10
MD5

8deb8023b4cabeaf6cb46a4e4b1ebc25

SHA1

09ac5fdc3cad359f1e35f98b15d481ccfe01af30

SHA256

adb2126ab8201d688d9569a05f08fd1738bf80302d46ef2aa83eb2fc7eb94203

SHA512

3cc1240c2a206d7572bac182117d742dee94af585c5384aebbc4621abf32e7e6db2e6e39f4cff2d262d511cf847b06be57a4a6eab6f5e84321f9cc538e630488

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://adelantosi.com/cp/TAX-RELIEF.exe

Targets
Target

ATO-RELIEF.xlsm

MD5

8deb8023b4cabeaf6cb46a4e4b1ebc25

Filesize

15KB

Score
10 /10
SHA1

09ac5fdc3cad359f1e35f98b15d481ccfe01af30

SHA256

adb2126ab8201d688d9569a05f08fd1738bf80302d46ef2aa83eb2fc7eb94203

SHA512

3cc1240c2a206d7572bac182117d742dee94af585c5384aebbc4621abf32e7e6db2e6e39f4cff2d262d511cf847b06be57a4a6eab6f5e84321f9cc538e630488

Tags

Signatures

  • NetWire RAT payload

    Tags

  • Netwire

    Description

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10