General

  • Target

    Tax Invoice.xlsm

  • Size

    42KB

  • Sample

    221117-fhrr7adf88

  • MD5

    1a5f56600a34c20305f85f2cd0fdfbdf

  • SHA1

    d37b42fd8d23e2fbdaebb55012fd028525e4e72c

  • SHA256

    c0ca12020d7bf51209e7ac026fdfd71f55b97053985b061de24879069c96910c

  • SHA512

    630cf26791900e941843a5e94308031c1e3dab8f60836e395e06f2c0a5fd11bf2beac5115429068276ff9fe1ffdb07d3a49b24029911da8016d490aadcc331d8

  • SSDEEP

    768:IvjsCvCssn3uBIJYfTH+niSpKvDH7Nv+nWhFFiKk/f7qtNhTxRB+nE2g7d:IvDvCT3uG1ByT7Nv+qFFi3/jqLxxyE2g

Malware Config

Extracted

Family

netwire

C2

212.193.30.230:3345

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password@9

  • registry_autorun

    false

  • use_mutex

    false

Targets

    • Target

      Tax Invoice.xlsm

    • Size

      42KB

    • MD5

      1a5f56600a34c20305f85f2cd0fdfbdf

    • SHA1

      d37b42fd8d23e2fbdaebb55012fd028525e4e72c

    • SHA256

      c0ca12020d7bf51209e7ac026fdfd71f55b97053985b061de24879069c96910c

    • SHA512

      630cf26791900e941843a5e94308031c1e3dab8f60836e395e06f2c0a5fd11bf2beac5115429068276ff9fe1ffdb07d3a49b24029911da8016d490aadcc331d8

    • SSDEEP

      768:IvjsCvCssn3uBIJYfTH+niSpKvDH7Nv+nWhFFiKk/f7qtNhTxRB+nE2g7d:IvDvCT3uG1ByT7Nv+qFFi3/jqLxxyE2g

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Tasks