General
-
Target
Inq PO-000202120741.doc
-
Size
535KB
-
Sample
210930-ktl4ashbdm
-
MD5
4ef6b1fa16f352e1969080579b832ee3
-
SHA1
d4b85b188ad50ef69c1a238b979a1db7f0d4970d
-
SHA256
29327d8089389d96e7ae1abcbd7c300ab587c59fa5841b748ef47e279d0c526b
-
SHA512
85bb5bde53e6df3b759377ec1920a01281ca0f36bd477335759fdb5b043575628e7be11a960c0ff04188c2a17d4c51b9c43a6efeaf21b505a48c65311af026a3
Static task
static1
Behavioral task
behavioral1
Sample
Inq PO-000202120741.doc
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Inq PO-000202120741.doc
Resource
win10-en-20210920
Malware Config
Extracted
httP://avira.ydns.eu/EXCEL.exe
Extracted
xpertrat
3.0.10
Test
kapasky-antivirus.firewall-gateway.net:4000
L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0
Targets
-
-
Target
Inq PO-000202120741.doc
-
Size
535KB
-
MD5
4ef6b1fa16f352e1969080579b832ee3
-
SHA1
d4b85b188ad50ef69c1a238b979a1db7f0d4970d
-
SHA256
29327d8089389d96e7ae1abcbd7c300ab587c59fa5841b748ef47e279d0c526b
-
SHA512
85bb5bde53e6df3b759377ec1920a01281ca0f36bd477335759fdb5b043575628e7be11a960c0ff04188c2a17d4c51b9c43a6efeaf21b505a48c65311af026a3
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
XpertRAT Core Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-