General
-
Target
ShippingBLINVPLPDF.exe
-
Size
764KB
-
Sample
210621-mm29tt4bwa
-
MD5
ac2dd3566161994b4bc2af90113dd6ef
-
SHA1
062eab232642c0d9ee9e6af266a8abe9fa14dbac
-
SHA256
557b7d3dbc3f34338f5a6c1467f399abc0b3ef004d7378b7ff78f80d96fbc244
-
SHA512
fba9479747777c206a427ea75333834f82ffcf1d8fcfd560b60aed293f22c90ef369de745776ebd041e52a097cadcf9b8dcf4d612e2d459210d7d4dfedaae8df
Static task
static1
Behavioral task
behavioral1
Sample
ShippingBLINVPLPDF.exe
Resource
win7v20210408
Malware Config
Extracted
netwire
www.clfoor.net:8760
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
payment
- install_path
- keylogger_dir
-
lock_executable
false
- mutex
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
ShippingBLINVPLPDF.exe
-
Size
764KB
-
MD5
ac2dd3566161994b4bc2af90113dd6ef
-
SHA1
062eab232642c0d9ee9e6af266a8abe9fa14dbac
-
SHA256
557b7d3dbc3f34338f5a6c1467f399abc0b3ef004d7378b7ff78f80d96fbc244
-
SHA512
fba9479747777c206a427ea75333834f82ffcf1d8fcfd560b60aed293f22c90ef369de745776ebd041e52a097cadcf9b8dcf4d612e2d459210d7d4dfedaae8df
-
NetWire RAT payload
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-