General
-
Target
SecuriteInfo.com.Win32.RATX-gen.6439.exe
-
Size
953KB
-
Sample
220919-wh1cbsfbbr
-
MD5
705e29680f4f0f0310b4680e05f053d0
-
SHA1
15ab85f450c8fd3e7d25a7889dc658fdfcee9ede
-
SHA256
444eb9da59786055bffa5f9d294fc26edc82a7b31975383efb7f2b9764402cf5
-
SHA512
1290bd274a3b4d426edd46d5597f05d8e056cbae92c5eda29616264cdf28fc6387f282e4188dff740e1aeed86974ffdb22ca70dab0e9e2c7a49ff218d932779e
-
SSDEEP
12288:KFnvWXswpJFQLW3pTLPRVS6IsoDJdrDpvdoxZYg1+kWA/hP1SBh71B:+Wx73ZdmnbAagsA/h9s
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.RATX-gen.6439.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.RATX-gen.6439.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
netwire
podzeye2.duckdns.org:4411
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
lock_executable
false
-
offline_keylogger
false
-
password
Password
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
SecuriteInfo.com.Win32.RATX-gen.6439.exe
-
Size
953KB
-
MD5
705e29680f4f0f0310b4680e05f053d0
-
SHA1
15ab85f450c8fd3e7d25a7889dc658fdfcee9ede
-
SHA256
444eb9da59786055bffa5f9d294fc26edc82a7b31975383efb7f2b9764402cf5
-
SHA512
1290bd274a3b4d426edd46d5597f05d8e056cbae92c5eda29616264cdf28fc6387f282e4188dff740e1aeed86974ffdb22ca70dab0e9e2c7a49ff218d932779e
-
SSDEEP
12288:KFnvWXswpJFQLW3pTLPRVS6IsoDJdrDpvdoxZYg1+kWA/hP1SBh71B:+Wx73ZdmnbAagsA/h9s
-
NetWire RAT payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-