General

  • Target

    INVOICE3.xll

  • Size

    891KB

  • Sample

    220715-q91jhsbaa6

  • MD5

    df41c83b6684fdd3d1d56ffe490a04d7

  • SHA1

    72cee1661333584e3ce4f4063a8f196545141cd6

  • SHA256

    48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b

  • SHA512

    66ba4abad68589d5d1af9a525d302200438eb399f5d4713cf185cbf189ee349369d48cf514628b1a3c9eae57b359659fec90a915ce46da0a73bdc35f7bf295af

Malware Config

Extracted

Family

netwire

C2

194.5.98.126:3378

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Pass@2023

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      INVOICE3.xll

    • Size

      891KB

    • MD5

      df41c83b6684fdd3d1d56ffe490a04d7

    • SHA1

      72cee1661333584e3ce4f4063a8f196545141cd6

    • SHA256

      48362e828cc04c978234020490d64473f88a940db1b61f112e5b54f583b5311b

    • SHA512

      66ba4abad68589d5d1af9a525d302200438eb399f5d4713cf185cbf189ee349369d48cf514628b1a3c9eae57b359659fec90a915ce46da0a73bdc35f7bf295af

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks