Medium
A series of sales-themed emails with IMG attachments. with purpose to deliver the NetWire RAT. A total of 15 emails carrying the same attachment were observed coming from two unique senders.
Email 1
Email 2
In both cases, the referenced attachment is an IMG file named “Sales_Quotation_SQUO00001760.img.” Opening this file extracts an executable that we identified to be the NetWire RAT. Once executed, the malware establishes persistence via a scheduled task. Additionally, Registry keys are created to store the C2 server IP and install data of the RAT. Communication with the C2 server is performed over port 3012.\
Exposure of sensitive information
Email Subject
From Email
SHA-256