xpertrat | 39f9e4df37b9d4b3e5ad5df753c9e8c3617472f3cfa778e43ddd822544455788 | Triage

Submit
Reports

Overview

overview

Static

static

PO sept211...HM.doc

windows7_x64

PO sept211...HM.doc

windows10_x64

Sharing

General

Target

PO sept2116 FRP-SHM.doc
Size

341KB
Sample

210916-slchwsgeeq
MD5

dc9a33a35b76796e46c64dd1b464b12f
SHA1

a235e802a62465a8985af532730d89e60f17f982
SHA256

39f9e4df37b9d4b3e5ad5df753c9e8c3617472f3cfa778e43ddd822544455788
SHA512

f07653cea29668a76197ae59c5ca7e918517d068a5050df4a5bd1d3261a1451df7d164c197151a9c0dbd61b697c66054b9383d7b92a3c73925ad1bfaacc07f94

Score

10^/10

xpertrat test evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

PO sept2116 FRP-SHM.doc

Resource

win7-en

xpertrat test evasion persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO sept2116 FRP-SHM.doc

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://esetnode32-antiviru.ydns.eu/EXCEL.exe

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Targets

- Target
  
  PO sept2116 FRP-SHM.doc
- Size
  
  341KB
- MD5
  
  dc9a33a35b76796e46c64dd1b464b12f
- SHA1
  
  a235e802a62465a8985af532730d89e60f17f982
- SHA256
  
  39f9e4df37b9d4b3e5ad5df753c9e8c3617472f3cfa778e43ddd822544455788
- SHA512
  
  f07653cea29668a76197ae59c5ca7e918517d068a5050df4a5bd1d3261a1451df7d164c197151a9c0dbd61b697c66054b9383d7b92a3c73925ad1bfaacc07f94
Score

10^/10

xpertrat test evasion persistence rat trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- XpertRAT Core Payload
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xpertrattestevasionpersistencerattrojan

behavioral2

© 2018-2024

Terms | Privacy