General

  • Target

    quotepoexe.zip

  • Size

    402KB

  • Sample

    211123-x2arfsbafm

  • MD5

    11aef155ec040bff6c9954662ca2fea6

  • SHA1

    0ea7d964a27b50e4386a97cb58118ab99e4d44e0

  • SHA256

    c199073c64d105494e8c71b079f32999f0cfc363cc530149b8e2e68b6b9be2c7

  • SHA512

    5588d4b92466256f1ca479042741810dda2142c730295a34f4d73ff842c26d9ee2ff3f521e293454be384f06919630b47a46a9ac74fe9d80f6df87ec5f381d48

Malware Config

Targets

    • Target

      15bdbbb74d12a8fb5e0d6cd961e06e63bb17c3fffe8f75387512010e3c9ff189.bin

    • Size

      483KB

    • MD5

      a356907e372f5e4558150d0eb14a9aae

    • SHA1

      2493f4864ce1d4dc86197351dc4cdda099a5ba73

    • SHA256

      15bdbbb74d12a8fb5e0d6cd961e06e63bb17c3fffe8f75387512010e3c9ff189

    • SHA512

      4c75bee75e4c4a1a80c03c042c5c672aeb92fd0feba42eb4b2dee9dfd3e0eb15d9434cd8e7f729a2e4c4ca7e907b113f2fe3289419346973a2826ac65987d483

    • UAC bypass

    • Windows security bypass

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

    • Looks for VirtualBox Guest Additions in registry

    • Adds policy Run key to start application

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks