General
-
Target
lnvoice_237647.xls
-
Size
96KB
-
Sample
210709-bqf2l953b2
-
MD5
e952df96ed8a0dce47a87203a292bb4f
-
SHA1
163172f5016c075248b0aea90bd1bd1b849db1c6
-
SHA256
4b84c537c317a51d6c6b2de361e7f6251585e7e2486fdc4ed4bff2460facba69
-
SHA512
7ad610f815f09943186efea29bba36c8031fd5b2a53c45fc449b7b5ccd82d16907e6dcc7e47794d4a25ae444f12bf0fcc582346204816a5f5fd627ea60eb6f26
Static task
static1
Behavioral task
behavioral1
Sample
lnvoice_237647.xls
Resource
win7v20210410
Malware Config
Extracted
https://invoice-acc.com/ss/3loyaSLADo1ZNLp.exe
Extracted
netwire
dxyasser0.zapto.org:1212
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
- mutex
-
offline_keylogger
true
-
password
123
-
registry_autorun
false
- startup_name
-
use_mutex
false
Targets
-
-
Target
lnvoice_237647.xls
-
Size
96KB
-
MD5
e952df96ed8a0dce47a87203a292bb4f
-
SHA1
163172f5016c075248b0aea90bd1bd1b849db1c6
-
SHA256
4b84c537c317a51d6c6b2de361e7f6251585e7e2486fdc4ed4bff2460facba69
-
SHA512
7ad610f815f09943186efea29bba36c8031fd5b2a53c45fc449b7b5ccd82d16907e6dcc7e47794d4a25ae444f12bf0fcc582346204816a5f5fd627ea60eb6f26
-
NetWire RAT payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-