xpertrat | 2716bdd86f5e2a5364c1dd061a36270bf8eade4838e0e0e08677093bc0b8d910 | Triage

Submit
Reports

Overview

overview

Static

static

REQ PO_009...PI.doc

windows7_x64

REQ PO_009...PI.doc

windows10_x64

Sharing

General

Target

REQ PO_0092546 FOR PI.doc
Size

422KB
Sample

211015-hh3kssafc3
MD5

115cb391afa5ed68f040ec69b00c84c1
SHA1

319cea32abbb8ef0a55fff174dafdea4d3a7b0c7
SHA256

2716bdd86f5e2a5364c1dd061a36270bf8eade4838e0e0e08677093bc0b8d910
SHA512

077c977bd8e08579e9f2f85b7077dbe869b1ac0359d40d463b0a7dda28b0a297222e44386b62fff4b04367513286e8fe755352cca59d1c2ce78e306b310e7879

Score

10^/10

xpertrat collection evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

REQ PO_0092546 FOR PI.doc

Resource

win7-en-20211014

xpertrat collection evasion persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

REQ PO_0092546 FOR PI.doc

Resource

win10-en-20210920

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://avira.ydns.eu/EXCEL.exe

Targets

- Target
  
  REQ PO_0092546 FOR PI.doc
- Size
  
  422KB
- MD5
  
  115cb391afa5ed68f040ec69b00c84c1
- SHA1
  
  319cea32abbb8ef0a55fff174dafdea4d3a7b0c7
- SHA256
  
  2716bdd86f5e2a5364c1dd061a36270bf8eade4838e0e0e08677093bc0b8d910
- SHA512
  
  077c977bd8e08579e9f2f85b7077dbe869b1ac0359d40d463b0a7dda28b0a297222e44386b62fff4b04367513286e8fe755352cca59d1c2ce78e306b310e7879
Score

10^/10

xpertrat collection evasion persistence rat trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

xpertratcollectionevasionpersistencerattrojan

behavioral2

© 2018-2024

Terms | Privacy