General

  • Target

    Inq PO-000202120741.doc

  • Size

    535KB

  • Sample

    210930-ktl4ashbdm

  • MD5

    4ef6b1fa16f352e1969080579b832ee3

  • SHA1

    d4b85b188ad50ef69c1a238b979a1db7f0d4970d

  • SHA256

    29327d8089389d96e7ae1abcbd7c300ab587c59fa5841b748ef47e279d0c526b

  • SHA512

    85bb5bde53e6df3b759377ec1920a01281ca0f36bd477335759fdb5b043575628e7be11a960c0ff04188c2a17d4c51b9c43a6efeaf21b505a48c65311af026a3

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

httP://avira.ydns.eu/EXCEL.exe

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Targets

    • Target

      Inq PO-000202120741.doc

    • Size

      535KB

    • MD5

      4ef6b1fa16f352e1969080579b832ee3

    • SHA1

      d4b85b188ad50ef69c1a238b979a1db7f0d4970d

    • SHA256

      29327d8089389d96e7ae1abcbd7c300ab587c59fa5841b748ef47e279d0c526b

    • SHA512

      85bb5bde53e6df3b759377ec1920a01281ca0f36bd477335759fdb5b043575628e7be11a960c0ff04188c2a17d4c51b9c43a6efeaf21b505a48c65311af026a3

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • Windows security bypass

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

    • XpertRAT Core Payload

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks