General

  • Target

    02 SCRAP BIDDING INVITATION_xlsx.exe

  • Size

    301KB

  • Sample

    200624-3pqyjfy64j

  • MD5

    dd5e6e486e6facac99576ee8ebfe048b

  • SHA1

    05a7d384860296a1d5b5d53f908403a53ac7f8bd

  • SHA256

    ada06fa53bcebf55db1efd74571846489efb56f71f3e8283e157e78c69da8ee4

  • SHA512

    c0f19b2349ce51cc64dce57d28a60a4d40d570dd1bdefbcd23c85183700dfda876e8f3f6ff59934d26bfe76c536d2c8ec13ac89e7fce6a0053fa07aceddda5f5

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

msn

C2

194.5.99.136:3135

79.134.225.85:3135

Mutex

G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8

Targets

    • Target

      02 SCRAP BIDDING INVITATION_xlsx.exe

    • Size

      301KB

    • MD5

      dd5e6e486e6facac99576ee8ebfe048b

    • SHA1

      05a7d384860296a1d5b5d53f908403a53ac7f8bd

    • SHA256

      ada06fa53bcebf55db1efd74571846489efb56f71f3e8283e157e78c69da8ee4

    • SHA512

      c0f19b2349ce51cc64dce57d28a60a4d40d570dd1bdefbcd23c85183700dfda876e8f3f6ff59934d26bfe76c536d2c8ec13ac89e7fce6a0053fa07aceddda5f5

    • UAC bypass

    • Windows security bypass

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

    • XpertRAT Core Payload

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Adds policy Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks