xpertrat | 12f341bc0f65e96848b4dd440afc7f653e883e740adcb677fc4f8b5ba5c38ef2 | Triage

Submit
Reports

Overview

overview

Static

static

f6eb3ee5a5...e7.exe

windows7_x64

f6eb3ee5a5...e7.exe

windows10_x64

Sharing

General

Target

f6eb3ee5a5791580cb437aed0ed50ee7.exe
Size

346KB
Sample

201109-x26pnpp4vj
MD5

f6eb3ee5a5791580cb437aed0ed50ee7
SHA1

42390aa36dd526141c798849a02dfdebcbd17eb5
SHA256

12f341bc0f65e96848b4dd440afc7f653e883e740adcb677fc4f8b5ba5c38ef2
SHA512

c94f46ffef834d6b00240bd4431f5dc191c75fbfa6b6ed31a7a94a23b93084a0d69d00cf24e66d8b919c8b58de365b70fa3bb461e51c153c7b747f6b0cbc0527

Score

10^/10

xpertrat msn coreentity evasion persistence rat rezer0 trojan

Static task

static1

Behavioral task

behavioral1

Sample

f6eb3ee5a5791580cb437aed0ed50ee7.exe

Resource

win7v20201028

xpertrat msn coreentity evasion persistence rat rezer0 trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

f6eb3ee5a5791580cb437aed0ed50ee7.exe

Resource

win10v20201028

xpertrat msn coreentity evasion persistence rat rezer0 trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

msn

C2

127.0.0.1:666

194.5.99.136:3135

Mutex

D7X4P1B8-Q5O3-S1E1-N0C3-X4R7E8E2T6P3

Targets

- Target
  
  f6eb3ee5a5791580cb437aed0ed50ee7.exe
- Size
  
  346KB
- MD5
  
  f6eb3ee5a5791580cb437aed0ed50ee7
- SHA1
  
  42390aa36dd526141c798849a02dfdebcbd17eb5
- SHA256
  
  12f341bc0f65e96848b4dd440afc7f653e883e740adcb677fc4f8b5ba5c38ef2
- SHA512
  
  c94f46ffef834d6b00240bd4431f5dc191c75fbfa6b6ed31a7a94a23b93084a0d69d00cf24e66d8b919c8b58de365b70fa3bb461e51c153c7b747f6b0cbc0527
Score

10^/10

xpertrat msn coreentity evasion persistence rat rezer0 trojan
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- XpertRAT Core Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Adds policy Run key to start application
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xpertratmsncoreentityevasionpersistenceratrezer0trojan

behavioral2

xpertratmsncoreentityevasionpersistenceratrezer0trojan

© 2018-2024

Terms | Privacy