xpertrat | 06febadb1cc71ef3987c339b7c862ea4cd32656c372c4f266cd1af68c355a0c0 | Triage

Submit
Reports

Overview

overview

Static

static

939a42faab...92.exe

windows7_x64

939a42faab...92.exe

windows10_x64

Sharing

General

Target

939a42faab70585cf4aed59c73425492.exe
Size

472KB
Sample

210626-lpg4vrrfxs
MD5

939a42faab70585cf4aed59c73425492
SHA1

ccc57ed7de341f637e1ba6e671105ec304bd2c4b
SHA256

06febadb1cc71ef3987c339b7c862ea4cd32656c372c4f266cd1af68c355a0c0
SHA512

04a845f4b4db9f8fb923a10db65a1cac6cce46f52aa46eaa124b7aa710e7d063555e93f93e26dfb9fa3c28425297d080f69025fcbc73801825154cbf659abe00

Score

10^/10

xpertrat special x evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

939a42faab70585cf4aed59c73425492.exe

Resource

win7v20210408

xpertrat special x evasion persistence rat trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

939a42faab70585cf4aed59c73425492.exe

Resource

win10v20210410

xpertrat special x evasion persistence rat trojan upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

special X

C2

mertrerfeyy.duckdns.org:8494

gwtruwhgw.duckdns.org:8494

dfgrttuutii.duckdns.org:8494

Mutex

J0B4S3L1-T6W3-H2L6-N2T2-W4T8H1F1E6U4

Targets

- Target
  
  939a42faab70585cf4aed59c73425492.exe
- Size
  
  472KB
- MD5
  
  939a42faab70585cf4aed59c73425492
- SHA1
  
  ccc57ed7de341f637e1ba6e671105ec304bd2c4b
- SHA256
  
  06febadb1cc71ef3987c339b7c862ea4cd32656c372c4f266cd1af68c355a0c0
- SHA512
  
  04a845f4b4db9f8fb923a10db65a1cac6cce46f52aa46eaa124b7aa710e7d063555e93f93e26dfb9fa3c28425297d080f69025fcbc73801825154cbf659abe00
Score

10^/10

xpertrat special x evasion persistence rat trojan upx
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- XpertRAT Core Payload
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Adds policy Run key to start application
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Program crash
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xpertratspecial xevasionpersistencerattrojanupx

behavioral2

xpertratspecial xevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy