General
-
Target
RFQ 80479040.doc
-
Size
62KB
-
Sample
220930-ljm4aaeagl
-
MD5
6328c4a16d653cb10c3b042301b2d6c3
-
SHA1
4dba059a50044581f2741868ce850618a042f0b5
-
SHA256
9e7f45fc3fe9b1849e1308f416aa57cf62588ca43359630649943b40fcf07856
-
SHA512
6d46cc27a4786b0072f1a53cdbd6e3c42e646b6f441ef39eee0630e37863c90bf8c8e40ee026af7cd98ac14474ff96b787ccab941f995fd7db80d0dcc4c2725f
-
SSDEEP
384:OkUgY5j96eYPKNiaI1WAE7OCb8iSUR/8dEv8krqrf4INzte/DZeIESy3uGjGWi2S:OP5I5I/q/qsfZ3qHGjG/owKSqXI
Behavioral task
behavioral1
Sample
RFQ 80479040.doc
Resource
win7-20220812-en
Malware Config
Extracted
netwire
37.0.14.206:3384
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password234
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
RFQ 80479040.doc
-
Size
62KB
-
MD5
6328c4a16d653cb10c3b042301b2d6c3
-
SHA1
4dba059a50044581f2741868ce850618a042f0b5
-
SHA256
9e7f45fc3fe9b1849e1308f416aa57cf62588ca43359630649943b40fcf07856
-
SHA512
6d46cc27a4786b0072f1a53cdbd6e3c42e646b6f441ef39eee0630e37863c90bf8c8e40ee026af7cd98ac14474ff96b787ccab941f995fd7db80d0dcc4c2725f
-
SSDEEP
384:OkUgY5j96eYPKNiaI1WAE7OCb8iSUR/8dEv8krqrf4INzte/DZeIESy3uGjGWi2S:OP5I5I/q/qsfZ3qHGjG/owKSqXI
-
NetWire RAT payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-