Overview

overview

10

Static

static

8

label.xlsm

windows7_x64

10

label.xlsm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    label.xlsm

  • Size

    18KB

  • Sample

    210309-2dcrv9g73s

  • MD5

    7e7b8a3f709a06751a5aebf0727299f9

  • SHA1

    42e6d1c6c78d3c7e201e49de22a18362b4ee5f71

  • SHA256

    52dc772f8a1fba5d23b2bd62f1762d49f180579d561bbb64d84f97f4c3a7b2cd

  • SHA512

    717917bc7019af9d2dd878f45409a5f4ab9d58df6bf2d892f7317efaa1abe47b9964eebac5c8bf6a6e88173ae7fffc15acca494e9e1341992405543032cfd510

Score
10/10
netwirebotnetmacroratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://adelantosi.com/cp/label.exe

Targets

    • Target

      label.xlsm

    • Size

      18KB

    • MD5

      7e7b8a3f709a06751a5aebf0727299f9

    • SHA1

      42e6d1c6c78d3c7e201e49de22a18362b4ee5f71

    • SHA256

      52dc772f8a1fba5d23b2bd62f1762d49f180579d561bbb64d84f97f4c3a7b2cd

    • SHA512

      717917bc7019af9d2dd878f45409a5f4ab9d58df6bf2d892f7317efaa1abe47b9964eebac5c8bf6a6e88173ae7fffc15acca494e9e1341992405543032cfd510

    Score
    10/10
    netwirebotnetratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks