xpertrat | 1ca3cfc63c029b0d6a0d312cac86c5dc77e9efe86dd711a08e1f25d0ec62c366 | Triage

Submit
Reports

Overview

overview

Static

static

a5523425c4...78.exe

windows7_x64

a5523425c4...78.exe

windows10_x64

Sharing

General

Target

a5523425c4a1ec48a104970e15e55978.exe
Size

15KB
Sample

210423-v79kn9kprs
MD5

a5523425c4a1ec48a104970e15e55978
SHA1

43d820ee908bff37ed63dc8a13d8782637bd3203
SHA256

1ca3cfc63c029b0d6a0d312cac86c5dc77e9efe86dd711a08e1f25d0ec62c366
SHA512

67943d00181e9fe7f31c8ee1ac3acdbc252519732b920d0c4fb700d6eee7ae770ce33e75f07743b3d7536607a0a2e21727bb01703426e99202a7dec66cb5cee4

Score

10^/10

xpertrat special x evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

a5523425c4a1ec48a104970e15e55978.exe

Resource

win7v20210410

xpertrat special x evasion persistence rat trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

a5523425c4a1ec48a104970e15e55978.exe

Resource

win10v20210408

xpertrat special x evasion persistence rat trojan upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

ghytrty.duckdns.org:4145

spapertyy.duckdns.org:4145

Mutex

L3Q7I4T2-J8A6-K6O4-W4G3-T5J7D0W2V5E0

Targets

- Target
  
  a5523425c4a1ec48a104970e15e55978.exe
- Size
  
  15KB
- MD5
  
  a5523425c4a1ec48a104970e15e55978
- SHA1
  
  43d820ee908bff37ed63dc8a13d8782637bd3203
- SHA256
  
  1ca3cfc63c029b0d6a0d312cac86c5dc77e9efe86dd711a08e1f25d0ec62c366
- SHA512
  
  67943d00181e9fe7f31c8ee1ac3acdbc252519732b920d0c4fb700d6eee7ae770ce33e75f07743b3d7536607a0a2e21727bb01703426e99202a7dec66cb5cee4
Score

10^/10

xpertrat special x evasion persistence rat trojan upx
- Suspicious use of NtCreateProcessExOtherParentProcess
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- XpertRAT Core Payload
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Adds policy Run key to start application
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Install Root Certificate

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xpertratspecial xevasionpersistencerattrojanupx

behavioral2

xpertratspecial xevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy