Overview

overview

10

Static

static

8

PO 0767532.xls

windows7-x64

10

PO 0767532.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO 0767532.xls

  • Size

    107KB

  • Sample

    220926-j7vf6aaad8

  • MD5

    4d3137651038dfe44ccf6440f6281dfb

  • SHA1

    2d28e875fca6e4f945b5165b03f9aa7747764836

  • SHA256

    13c9bc1d2ac60ca5abb5a235d7d27d8c6f06e497da360f391785044d413cc29e

  • SHA512

    7cfda63f4a2a8a4fd4457135c345f403bb3665e4815c4bb983fa14d05ce94d1cd35daa54926fea9f64a6b998b428ab3cf0f2f05a371941cc145a5fb74e54d0ad

  • SSDEEP

    3072:z9xEtjPOtioVjDGUU1qfDlaGGx+cL2QnAB9pWkmanzr0O8yFKdshErls4:JxEtjPOtioVjDGUU1qfDlavx+W2QnABU

Score
10/10
netwirebotnetmacromacro_on_actionpersistenceratstealer

Malware Config

Extracted

Family

netwire

C2

37.0.14.206:3384

Attributes
  • activex_autorun

    false

  • copy_executable

    true

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • offline_keylogger

    true

  • password

    Password234

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      PO 0767532.xls

    • Size

      107KB

    • MD5

      4d3137651038dfe44ccf6440f6281dfb

    • SHA1

      2d28e875fca6e4f945b5165b03f9aa7747764836

    • SHA256

      13c9bc1d2ac60ca5abb5a235d7d27d8c6f06e497da360f391785044d413cc29e

    • SHA512

      7cfda63f4a2a8a4fd4457135c345f403bb3665e4815c4bb983fa14d05ce94d1cd35daa54926fea9f64a6b998b428ab3cf0f2f05a371941cc145a5fb74e54d0ad

    • SSDEEP

      3072:z9xEtjPOtioVjDGUU1qfDlaGGx+cL2QnAB9pWkmanzr0O8yFKdshErls4:JxEtjPOtioVjDGUU1qfDlavx+W2QnABU

    Score
    10/10
    netwirebotnetpersistenceratstealer

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks