General
-
Target
ORDER INQUIRY.doc
-
Size
1.5MB
-
Sample
210503-yaf2xe7282
-
MD5
76d29c28ca7c670367293ca72b21c35a
-
SHA1
4572896caccc56875f0223c84348531daa61d827
-
SHA256
0b06f4036cfeb9bebf96463b887c650c40dbde0128800dc8872318b4b13f48f5
-
SHA512
58a6f8a0bd66354588e65a77d554695fab02f83acedc8eef9f1483b6cc0282d8f10ebb6fe2f11dfe27d5428e5453f7aec9364b8fcc38eb912f5819ea71e598eb
Static task
static1
Behavioral task
behavioral1
Sample
ORDER INQUIRY.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ORDER INQUIRY.doc
Resource
win10v20210410
Malware Config
Extracted
netwire
79.134.225.52:31360
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
- keylogger_dir
-
lock_executable
false
- mutex
-
offline_keylogger
false
-
password
Favor1000$
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
ORDER INQUIRY.doc
-
Size
1.5MB
-
MD5
76d29c28ca7c670367293ca72b21c35a
-
SHA1
4572896caccc56875f0223c84348531daa61d827
-
SHA256
0b06f4036cfeb9bebf96463b887c650c40dbde0128800dc8872318b4b13f48f5
-
SHA512
58a6f8a0bd66354588e65a77d554695fab02f83acedc8eef9f1483b6cc0282d8f10ebb6fe2f11dfe27d5428e5453f7aec9364b8fcc38eb912f5819ea71e598eb
-
NetWire RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-