General
-
Target
INVOICE3.xll
-
Size
891KB
-
Sample
220715-q91jhsbaa6
-
MD5
df41c83b6684fdd3d1d56ffe490a04d7
-
SHA1
72cee1661333584e3ce4f4063a8f196545141cd6
-
SHA256
48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b
-
SHA512
66ba4abad68589d5d1af9a525d302200438eb399f5d4713cf185cbf189ee349369d48cf514628b1a3c9eae57b359659fec90a915ce46da0a73bdc35f7bf295af
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE3.xll
Resource
win7-20220414-en
Malware Config
Extracted
netwire
194.5.98.126:3378
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Pass@2023
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
INVOICE3.xll
-
Size
891KB
-
MD5
df41c83b6684fdd3d1d56ffe490a04d7
-
SHA1
72cee1661333584e3ce4f4063a8f196545141cd6
-
SHA256
48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b
-
SHA512
66ba4abad68589d5d1af9a525d302200438eb399f5d4713cf185cbf189ee349369d48cf514628b1a3c9eae57b359659fec90a915ce46da0a73bdc35f7bf295af
-
NetWire RAT payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-