xpertrat | d72da2af39e90713d465aff2de9c4991a2fe6125e06b67cd85cd67915a2c966e | Triage

Submit
Reports

Overview

overview

Static

static

INQUIRY No...ro.exe

windows7_x64

INQUIRY No...ro.exe

windows10_x64

Sharing

General

Target

INQUIRY No. 063021 Materials for Al Wakra Pro.exe
Size

1.3MB
Sample

210630-fm727g6d7a
MD5

a15915a25a5ec67af6e2e422acedaa68
SHA1

c48ccd1326ab3a1d15dec32b1617c2e65ee9d194
SHA256

d72da2af39e90713d465aff2de9c4991a2fe6125e06b67cd85cd67915a2c966e
SHA512

87bb58dfed4271fc985e2c4987478230b4ed588986749798ffe333ea885bca41f3aa8cf98a0b23bf6e53eaa7cce803e9b717ed5530c8dd5751ae0853005e3fdb

Score

10^/10

xpertrat oscar client evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

INQUIRY No. 063021 Materials for Al Wakra Pro.exe

Resource

win7v20210410

xpertrat oscar client evasion persistence rat trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

INQUIRY No. 063021 Materials for Al Wakra Pro.exe

Resource

win10v20210408

xpertrat oscar client evasion persistence rat trojan upx

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

OSCAR CLIENT

C2

oski123.duckdns.org:1909

Mutex

I3N7G4R2-G886-I6M4-U4E2-R5H6B0U1T5C8

Targets

- Target
  
  INQUIRY No. 063021 Materials for Al Wakra Pro.exe
- Size
  
  1.3MB
- MD5
  
  a15915a25a5ec67af6e2e422acedaa68
- SHA1
  
  c48ccd1326ab3a1d15dec32b1617c2e65ee9d194
- SHA256
  
  d72da2af39e90713d465aff2de9c4991a2fe6125e06b67cd85cd67915a2c966e
- SHA512
  
  87bb58dfed4271fc985e2c4987478230b4ed588986749798ffe333ea885bca41f3aa8cf98a0b23bf6e53eaa7cce803e9b717ed5530c8dd5751ae0853005e3fdb
Score

10^/10

xpertrat oscar client evasion persistence rat trojan upx
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- XpertRAT Core Payload
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Adds policy Run key to start application
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Program crash
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xpertratoscar clientevasionpersistencerattrojanupx

behavioral2

xpertratoscar clientevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy