General
-
Target
PO 0767532.xls
-
Size
107KB
-
Sample
220926-j7vf6abbgl
-
MD5
4b7e91a5f07bfa63ebfbdc143210cc9e
-
SHA1
169d96a1b25a369dd0ae99ac6f03c817cb9ff929
-
SHA256
69230008ebd4db702b501b5d35d6c5551ae5d1cc779d0bbcf4526f606f332650
-
SHA512
fd154e908daf256b859f47c23a21d341238b960361d555bfaa9744d8a73cb251e8c6785363b94c5b6fd1ab84aaadd90aca20d5aeb8c679cae7356e25fa90ef0d
-
SSDEEP
3072:B9xEtjPOtioVjDGUU1qfDlaGGx+cL2QnAB9pWkmanzr0O8yFKdshErls4:XxEtjPOtioVjDGUU1qfDlavx+W2QnABU
Behavioral task
behavioral1
Sample
PO 0767532.xls
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PO 0767532.xls
Resource
win10v2004-20220812-en
Malware Config
Extracted
netwire
37.0.14.206:3384
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password234
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
PO 0767532.xls
-
Size
107KB
-
MD5
4b7e91a5f07bfa63ebfbdc143210cc9e
-
SHA1
169d96a1b25a369dd0ae99ac6f03c817cb9ff929
-
SHA256
69230008ebd4db702b501b5d35d6c5551ae5d1cc779d0bbcf4526f606f332650
-
SHA512
fd154e908daf256b859f47c23a21d341238b960361d555bfaa9744d8a73cb251e8c6785363b94c5b6fd1ab84aaadd90aca20d5aeb8c679cae7356e25fa90ef0d
-
SSDEEP
3072:B9xEtjPOtioVjDGUU1qfDlaGGx+cL2QnAB9pWkmanzr0O8yFKdshErls4:XxEtjPOtioVjDGUU1qfDlavx+W2QnABU
Score10/10-
NetWire RAT payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-