General
-
Target
invoice_78336.xlsm
-
Size
42KB
-
Sample
230124-j1kclsab65
-
MD5
8588c1999a06ff9c06d12fee925b9018
-
SHA1
af5ef23dbcc31847788d1a2522b689a8dfd0f124
-
SHA256
c94cca2c1e58461023c08ac630cb28cb0940566373c8fa988c480736597a8840
-
SHA512
62c175443fb7b0c58be53f84cdf78d441670eb1ecfed27d7c41f06505a8e036f81c4d7ea086c42cdfcf23d5256404dfccf2b6372fa1a538bbe66d8e54ac9305d
-
SSDEEP
768:7lvRPlvHssndawBIJYfTH+niSpPvDH7iv+nW4FFiKk/f0qtM2CHWRQ+nYANm:ZvnvHTdawG1BxT7iv+PFFi3/8qahHWt+
Behavioral task
behavioral1
Sample
invoice_78336.xlsm
Resource
win7-20221111-en
Malware Config
Extracted
netwire
212.193.30.230:3363
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
offline_keylogger
true
-
password
Password@2
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
invoice_78336.xlsm
-
Size
42KB
-
MD5
8588c1999a06ff9c06d12fee925b9018
-
SHA1
af5ef23dbcc31847788d1a2522b689a8dfd0f124
-
SHA256
c94cca2c1e58461023c08ac630cb28cb0940566373c8fa988c480736597a8840
-
SHA512
62c175443fb7b0c58be53f84cdf78d441670eb1ecfed27d7c41f06505a8e036f81c4d7ea086c42cdfcf23d5256404dfccf2b6372fa1a538bbe66d8e54ac9305d
-
SSDEEP
768:7lvRPlvHssndawBIJYfTH+niSpPvDH7iv+nW4FFiKk/f0qtM2CHWRQ+nYANm:ZvnvHTdawG1BxT7iv+PFFi3/8qahHWt+
-
NetWire RAT payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-