General
-
Target
RFQ_#76242788162.exe
-
Size
179KB
-
Sample
201016-cwrczk6hke
-
MD5
441ef18a2da7b635c7861e9a502a938b
-
SHA1
63721215f57495860838e078f0bb73d00ce4817a
-
SHA256
28b2e9be250b41e1f4ec167dff3620f09597b7292ad23f0c48a8d6cdcc388959
-
SHA512
e59fe8c48c52405ca03bf2f8ae63eb24dd236411e2ef0210ab8a1cd26faf906d0b13dd4f76ca9816e98b4bbbf8a7e8ed57588c631d9667119e1396525e95dd94
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_#76242788162.exe
Resource
win7
Malware Config
Extracted
xpertrat
3.0.10
special X
zytriew.duckdns.org:4141
Y6K1I7G5-B5F3-V3F4-S5A6-T0V116U8H550
Targets
-
-
Target
RFQ_#76242788162.exe
-
Size
179KB
-
MD5
441ef18a2da7b635c7861e9a502a938b
-
SHA1
63721215f57495860838e078f0bb73d00ce4817a
-
SHA256
28b2e9be250b41e1f4ec167dff3620f09597b7292ad23f0c48a8d6cdcc388959
-
SHA512
e59fe8c48c52405ca03bf2f8ae63eb24dd236411e2ef0210ab8a1cd26faf906d0b13dd4f76ca9816e98b4bbbf8a7e8ed57588c631d9667119e1396525e95dd94
-
XpertRAT Core Payload
-
Adds policy Run key to start application
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-