General
-
Target
RF Oferta_07102021.doc
-
Size
500KB
-
Sample
211007-n3f57aceej
-
MD5
c977721c2b6e22a4bb29bc723e88dc14
-
SHA1
33e5d7488767291024cbf2581fbe360384c7d67a
-
SHA256
1c9bbe414128de9b946727e8ac7fe2edf9c28731fabbc564dee935a97721d358
-
SHA512
93cc581978c4b35f743a6bcd7eb48efe590141be3d4f636e44b6a000332ccd4007745aa014806d3375f485a7db3ddf7630b2b24c71093eebeb890786c1603d3b
Static task
static1
Behavioral task
behavioral1
Sample
RF Oferta_07102021.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
RF Oferta_07102021.doc
Resource
win10-en-20210920
Malware Config
Extracted
httP://avira.ydns.eu/EXCEL.exe
Extracted
xpertrat
3.0.10
Test
kapasky-antivirus.firewall-gateway.net:4000
L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0
Targets
-
-
Target
RF Oferta_07102021.doc
-
Size
500KB
-
MD5
c977721c2b6e22a4bb29bc723e88dc14
-
SHA1
33e5d7488767291024cbf2581fbe360384c7d67a
-
SHA256
1c9bbe414128de9b946727e8ac7fe2edf9c28731fabbc564dee935a97721d358
-
SHA512
93cc581978c4b35f743a6bcd7eb48efe590141be3d4f636e44b6a000332ccd4007745aa014806d3375f485a7db3ddf7630b2b24c71093eebeb890786c1603d3b
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
XpertRAT Core Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-