General

  • Target

    facturaproforma#201803601.exe

  • Size

    456KB

  • Sample

    211203-nf2hlsgcbm

  • MD5

    d778653148f01332e42a7161f0599f54

  • SHA1

    e1249522a8ea1cee94b18c4bc7cd98d450fe3b23

  • SHA256

    a3015093b23acb5ee6d0491eca81d6f8b2ad7d9b15181a9366e429e49cf6bf77

  • SHA512

    14a271e1072c908cae64200f853c5a414888dc079ddad806e3bcd940e3e8798e8bccffc312bf091f8fb113dc25416c1b44373ca3d0454e987ba80962cd01be61

Malware Config

Targets

    • Target

      facturaproforma#201803601.exe

    • Size

      456KB

    • MD5

      d778653148f01332e42a7161f0599f54

    • SHA1

      e1249522a8ea1cee94b18c4bc7cd98d450fe3b23

    • SHA256

      a3015093b23acb5ee6d0491eca81d6f8b2ad7d9b15181a9366e429e49cf6bf77

    • SHA512

      14a271e1072c908cae64200f853c5a414888dc079ddad806e3bcd940e3e8798e8bccffc312bf091f8fb113dc25416c1b44373ca3d0454e987ba80962cd01be61

    • UAC bypass

    • Windows security bypass

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

    • Looks for VirtualBox Guest Additions in registry

    • Adds policy Run key to start application

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

6
T1112

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks