General
-
Target
Tax Invoice.xlsm
-
Size
42KB
-
Sample
221117-fhrr7adf88
-
MD5
1a5f56600a34c20305f85f2cd0fdfbdf
-
SHA1
d37b42fd8d23e2fbdaebb55012fd028525e4e72c
-
SHA256
c0ca12020d7bf51209e7ac026fdfd71f55b97053985b061de24879069c96910c
-
SHA512
630cf26791900e941843a5e94308031c1e3dab8f60836e395e06f2c0a5fd11bf2beac5115429068276ff9fe1ffdb07d3a49b24029911da8016d490aadcc331d8
-
SSDEEP
768:IvjsCvCssn3uBIJYfTH+niSpKvDH7Nv+nWhFFiKk/f7qtNhTxRB+nE2g7d:IvDvCT3uG1ByT7Nv+qFFi3/jqLxxyE2g
Malware Config
Extracted
netwire
212.193.30.230:3345
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@9
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
Tax Invoice.xlsm
-
Size
42KB
-
MD5
1a5f56600a34c20305f85f2cd0fdfbdf
-
SHA1
d37b42fd8d23e2fbdaebb55012fd028525e4e72c
-
SHA256
c0ca12020d7bf51209e7ac026fdfd71f55b97053985b061de24879069c96910c
-
SHA512
630cf26791900e941843a5e94308031c1e3dab8f60836e395e06f2c0a5fd11bf2beac5115429068276ff9fe1ffdb07d3a49b24029911da8016d490aadcc331d8
-
SSDEEP
768:IvjsCvCssn3uBIJYfTH+niSpKvDH7Nv+nWhFFiKk/f7qtNhTxRB+nE2g7d:IvDvCT3uG1ByT7Nv+qFFi3/jqLxxyE2g
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-