Overview

overview

10

Static

static

8

lnvoice_237647.xls

windows7_x64

10

lnvoice_237647.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lnvoice_237647.xls

  • Size

    96KB

  • Sample

    210709-bqf2l953b2

  • MD5

    e952df96ed8a0dce47a87203a292bb4f

  • SHA1

    163172f5016c075248b0aea90bd1bd1b849db1c6

  • SHA256

    4b84c537c317a51d6c6b2de361e7f6251585e7e2486fdc4ed4bff2460facba69

  • SHA512

    7ad610f815f09943186efea29bba36c8031fd5b2a53c45fc449b7b5ccd82d16907e6dcc7e47794d4a25ae444f12bf0fcc582346204816a5f5fd627ea60eb6f26

Score
10/10
netwirebotnetmacromacro_on_actionratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://invoice-acc.com/ss/3loyaSLADo1ZNLp.exe

Extracted

Family

netwire

C2

dxyasser0.zapto.org:1212

Attributes
  • activex_autorun

    false

  • activex_key

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • mutex

  • offline_keylogger

    true

  • password

    123

  • registry_autorun

    false

  • startup_name

  • use_mutex

    false

Targets

    • Target

      lnvoice_237647.xls

    • Size

      96KB

    • MD5

      e952df96ed8a0dce47a87203a292bb4f

    • SHA1

      163172f5016c075248b0aea90bd1bd1b849db1c6

    • SHA256

      4b84c537c317a51d6c6b2de361e7f6251585e7e2486fdc4ed4bff2460facba69

    • SHA512

      7ad610f815f09943186efea29bba36c8031fd5b2a53c45fc449b7b5ccd82d16907e6dcc7e47794d4a25ae444f12bf0fcc582346204816a5f5fd627ea60eb6f26

    Score
    10/10
    netwirebotnetratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks