General
-
Target
SecuriteInfo.com.Win32.RATX-gen.16112.exe
-
Size
837KB
-
Sample
220926-ggxgqaagfp
-
MD5
380c39c11c790386e3b2babd5baf81ba
-
SHA1
6d52d56fe2623bdbb52b80426f70d090ccb2550c
-
SHA256
53944a881741bee915b91916abf91bb7916f89756ee49dc2bc8e8ba768213c16
-
SHA512
35cdb67daac5fefc4395743f2ba3160bdd1b089afb0797f79b2c3ba1718eae6cf678dcb099f5512674c0dd7778910e17a1637027fcc3413267cb833b3359de46
-
SSDEEP
12288:FDHgwwaiA/XwycRRSBDjIgZ7ChF9Dr+xTBIkoRmL1OpiBcdwO:CwAA/Xwy867wn2xTBIkoRE4
Malware Config
Extracted
netwire
212.193.29.37:3030
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
client
-
install_path
%AppData%\Install\Host.exe
-
lock_executable
false
-
mutex
xcCpnqVL
-
offline_keylogger
false
-
password
123456
-
registry_autorun
false
-
use_mutex
false
Targets
-
-
Target
SecuriteInfo.com.Win32.RATX-gen.16112.exe
-
Size
837KB
-
MD5
380c39c11c790386e3b2babd5baf81ba
-
SHA1
6d52d56fe2623bdbb52b80426f70d090ccb2550c
-
SHA256
53944a881741bee915b91916abf91bb7916f89756ee49dc2bc8e8ba768213c16
-
SHA512
35cdb67daac5fefc4395743f2ba3160bdd1b089afb0797f79b2c3ba1718eae6cf678dcb099f5512674c0dd7778910e17a1637027fcc3413267cb833b3359de46
-
SSDEEP
12288:FDHgwwaiA/XwycRRSBDjIgZ7ChF9Dr+xTBIkoRmL1OpiBcdwO:CwAA/Xwy867wn2xTBIkoRE4
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-