General

  • Target

    a5523425c4a1ec48a104970e15e55978.exe

  • Size

    15KB

  • Sample

    210423-778svc3xt2

  • MD5

    a5523425c4a1ec48a104970e15e55978

  • SHA1

    43d820ee908bff37ed63dc8a13d8782637bd3203

  • SHA256

    1ca3cfc63c029b0d6a0d312cac86c5dc77e9efe86dd711a08e1f25d0ec62c366

  • SHA512

    67943d00181e9fe7f31c8ee1ac3acdbc252519732b920d0c4fb700d6eee7ae770ce33e75f07743b3d7536607a0a2e21727bb01703426e99202a7dec66cb5cee4

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

ghytrty.duckdns.org:4145

spapertyy.duckdns.org:4145

Mutex

L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0

Targets

    • Target

      a5523425c4a1ec48a104970e15e55978.exe

    • Size

      15KB

    • MD5

      a5523425c4a1ec48a104970e15e55978

    • SHA1

      43d820ee908bff37ed63dc8a13d8782637bd3203

    • SHA256

      1ca3cfc63c029b0d6a0d312cac86c5dc77e9efe86dd711a08e1f25d0ec62c366

    • SHA512

      67943d00181e9fe7f31c8ee1ac3acdbc252519732b920d0c4fb700d6eee7ae770ce33e75f07743b3d7536607a0a2e21727bb01703426e99202a7dec66cb5cee4

    • UAC bypass

    • Windows security bypass

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

    • XpertRAT Core Payload

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Adds policy Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks