General
-
Target
IN0993.xll
-
Size
2.0MB
-
Sample
220704-jj8zmshed6
-
MD5
45b3cdfe2d7971c747b467b330477052
-
SHA1
fac617c572c67af3dcf43f45ddfa04f5e1fb0372
-
SHA256
ca4fd6dff7f8239df42a3319e5ac833b5952d8feea4cee1da7b47d1caba3c5e7
-
SHA512
f76a1af73034f9c411a891e56faa223a1b244a5f25f90e74fad082f37054fda9372e581cdd9834df0ffa9df414323bc99dbf82f9e76908b84073621990b5437a
Static task
static1
Behavioral task
behavioral1
Sample
IN0993.xll
Resource
win7-20220414-en
Malware Config
Extracted
Extracted
netwire
194.5.98.126:3378
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Pass@2023
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
IN0993.xll
-
Size
2.0MB
-
MD5
45b3cdfe2d7971c747b467b330477052
-
SHA1
fac617c572c67af3dcf43f45ddfa04f5e1fb0372
-
SHA256
ca4fd6dff7f8239df42a3319e5ac833b5952d8feea4cee1da7b47d1caba3c5e7
-
SHA512
f76a1af73034f9c411a891e56faa223a1b244a5f25f90e74fad082f37054fda9372e581cdd9834df0ffa9df414323bc99dbf82f9e76908b84073621990b5437a
-
NetWire RAT payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-