General

  • Target

    9bd273556358606717f3d0e7d4a2521dba396d6838d8dfccb78bfc5c98590b84

  • Size

    20KB

  • Sample

    211004-sal8ysgfam

  • MD5

    5028df0da2732dc8528ca9b7d7e41be5

  • SHA1

    462a178ab8063511109a91e11d44443485edd49d

  • SHA256

    9bd273556358606717f3d0e7d4a2521dba396d6838d8dfccb78bfc5c98590b84

  • SHA512

    dc31474f8a6ac3a1ca811a769a6c8c13b7beec22071565a37cbd8db85831e5d0fc3f270dc1328705849c23fac6eb7c1b55bc255db69ec3d7380771914fc8c3ae

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Targets

    • Target

      9bd273556358606717f3d0e7d4a2521dba396d6838d8dfccb78bfc5c98590b84

    • Size

      20KB

    • MD5

      5028df0da2732dc8528ca9b7d7e41be5

    • SHA1

      462a178ab8063511109a91e11d44443485edd49d

    • SHA256

      9bd273556358606717f3d0e7d4a2521dba396d6838d8dfccb78bfc5c98590b84

    • SHA512

      dc31474f8a6ac3a1ca811a769a6c8c13b7beec22071565a37cbd8db85831e5d0fc3f270dc1328705849c23fac6eb7c1b55bc255db69ec3d7380771914fc8c3ae

    • UAC bypass

    • Windows security bypass

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

    • XpertRAT Core Payload

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Adds policy Run key to start application

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks