General
-
Target
INVOICE3.xll
-
Size
891KB
-
Sample
220715-n9qyzabebk
-
MD5
df41c83b6684fdd3d1d56ffe490a04d7
-
SHA1
72cee1661333584e3ce4f4063a8f196545141cd6
-
SHA256
48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b
-
SHA512
66ba4abad68589d5d1af9a525d302200438eb399f5d4713cf185cbf189ee349369d48cf514628b1a3c9eae57b359659fec90a915ce46da0a73bdc35f7bf295af
Malware Config
Extracted
Extracted
netwire
194.5.98.126:3378
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Pass@2023
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
INVOICE3.xll
-
Size
891KB
-
MD5
df41c83b6684fdd3d1d56ffe490a04d7
-
SHA1
72cee1661333584e3ce4f4063a8f196545141cd6
-
SHA256
48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b
-
SHA512
66ba4abad68589d5d1af9a525d302200438eb399f5d4713cf185cbf189ee349369d48cf514628b1a3c9eae57b359659fec90a915ce46da0a73bdc35f7bf295af
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-