General
-
Target
PO sept2116 FRP-SHM.doc
-
Size
341KB
-
Sample
210916-slchwsgeeq
-
MD5
dc9a33a35b76796e46c64dd1b464b12f
-
SHA1
a235e802a62465a8985af532730d89e60f17f982
-
SHA256
39f9e4df37b9d4b3e5ad5df753c9e8c3617472f3cfa778e43ddd822544455788
-
SHA512
f07653cea29668a76197ae59c5ca7e918517d068a5050df4a5bd1d3261a1451df7d164c197151a9c0dbd61b697c66054b9383d7b92a3c73925ad1bfaacc07f94
Static task
static1
Behavioral task
behavioral1
Sample
PO sept2116 FRP-SHM.doc
Resource
win7-en
Behavioral task
behavioral2
Sample
PO sept2116 FRP-SHM.doc
Resource
win10v20210408
Malware Config
Extracted
httP://esetnode32-antiviru.ydns.eu/EXCEL.exe
Extracted
xpertrat
3.0.10
Test
kapasky-antivirus.firewall-gateway.net:4000
L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0
Targets
-
-
Target
PO sept2116 FRP-SHM.doc
-
Size
341KB
-
MD5
dc9a33a35b76796e46c64dd1b464b12f
-
SHA1
a235e802a62465a8985af532730d89e60f17f982
-
SHA256
39f9e4df37b9d4b3e5ad5df753c9e8c3617472f3cfa778e43ddd822544455788
-
SHA512
f07653cea29668a76197ae59c5ca7e918517d068a5050df4a5bd1d3261a1451df7d164c197151a9c0dbd61b697c66054b9383d7b92a3c73925ad1bfaacc07f94
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
XpertRAT Core Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-