xpertrat | c199073c64d105494e8c71b079f32999f0cfc363cc530149b8e2e68b6b9be2c7 | Triage

Submit
Reports

Overview

overview

Static

static

15bdbbb74d...in.exe

windows7_x64

15bdbbb74d...in.exe

windows10_x64

Sharing

General

Target

quotepoexe.zip
Size

402KB
Sample

211123-x2arfsbafm
MD5

11aef155ec040bff6c9954662ca2fea6
SHA1

0ea7d964a27b50e4386a97cb58118ab99e4d44e0
SHA256

c199073c64d105494e8c71b079f32999f0cfc363cc530149b8e2e68b6b9be2c7
SHA512

5588d4b92466256f1ca479042741810dda2142c730295a34f4d73ff842c26d9ee2ff3f521e293454be384f06919630b47a46a9ac74fe9d80f6df87ec5f381d48

Score

10^/10

xpertrat evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

15bdbbb74d12a8fb5e0d6cd961e06e63bb17c3fffe8f75387512010e3c9ff189.bin.exe

Resource

win7-en-20211014

xpertrat evasion persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

15bdbbb74d12a8fb5e0d6cd961e06e63bb17c3fffe8f75387512010e3c9ff189.bin.exe

Resource

win10-en-20211014

xpertrat evasion persistence rat trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  15bdbbb74d12a8fb5e0d6cd961e06e63bb17c3fffe8f75387512010e3c9ff189.bin
- Size
  
  483KB
- MD5
  
  a356907e372f5e4558150d0eb14a9aae
- SHA1
  
  2493f4864ce1d4dc86197351dc4cdda099a5ba73
- SHA256
  
  15bdbbb74d12a8fb5e0d6cd961e06e63bb17c3fffe8f75387512010e3c9ff189
- SHA512
  
  4c75bee75e4c4a1a80c03c042c5c672aeb92fd0feba42eb4b2dee9dfd3e0eb15d9434cd8e7f729a2e4c4ca7e907b113f2fe3289419346973a2826ac65987d483
Score

10^/10

xpertrat evasion persistence rat trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xpertratevasionpersistencerattrojan

behavioral2

xpertratevasionpersistencerattrojan

© 2018-2024

Terms | Privacy