General
-
Target
RFQ - 6093.xls
-
Size
102KB
-
Sample
220921-majj6sgae6
-
MD5
f6431c9663214dc8c24689b22e2dd767
-
SHA1
4a2f9d7926ad24bbaf2b7a98878714e9e5261574
-
SHA256
c965edc69fe9ef5e9c50dc9cfd4540551005397a55b0547b381640819cf101e9
-
SHA512
1fce426cbc52d12d1365ee3873747b4466f94ca00b296001c5db204d2854f4367b09ba584842652796e2908480b98aa17c4b3a9794ecf23255eafe55772f6589
-
SSDEEP
3072:7k3hOdsylKlgryzc4bNhZFGzE+cL2knAr9pWkmanzr0O8pFKdshErlsDB:7k3hOdsylKlgryzc4bNhZF+E+W2knAr
Behavioral task
behavioral1
Sample
RFQ - 6093.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
RFQ - 6093.xls
Resource
win10v2004-20220812-en
Malware Config
Extracted
netwire
37.0.14.206:3384
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password234
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
RFQ - 6093.xls
-
Size
102KB
-
MD5
f6431c9663214dc8c24689b22e2dd767
-
SHA1
4a2f9d7926ad24bbaf2b7a98878714e9e5261574
-
SHA256
c965edc69fe9ef5e9c50dc9cfd4540551005397a55b0547b381640819cf101e9
-
SHA512
1fce426cbc52d12d1365ee3873747b4466f94ca00b296001c5db204d2854f4367b09ba584842652796e2908480b98aa17c4b3a9794ecf23255eafe55772f6589
-
SSDEEP
3072:7k3hOdsylKlgryzc4bNhZFGzE+cL2knAr9pWkmanzr0O8pFKdshErlsDB:7k3hOdsylKlgryzc4bNhZF+E+W2knAr
Score10/10-
NetWire RAT payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-