xpertrat | 0580f2e1a63c8db40f25570a673b1620d753d28f55101dd5f9d8270755d69261 | Triage

Sharing

General

Target

SPELIST0120Dec-130073_164300887Spec_Pdf.exe
Size

1.3MB
Sample

211221-n6weaadch2
MD5

38f21e75ff73996220385c651b977d13
SHA1

c46c478a05c788c60abccf265d58de93115da221
SHA256

0580f2e1a63c8db40f25570a673b1620d753d28f55101dd5f9d8270755d69261
SHA512

28cbaa62ddc069ec325a61bdb585be6ef76265f9ee1fb75560e19ed99fa429387b488217942fc1e7c1393cefc7546d82abbe63f02ad321d90b31a5682ba1a069

Score

10^/10

xpertrat collection evasion persistence rat trojan

Malware Config

Targets

- Target
  
  SPELIST0120Dec-130073_164300887Spec_Pdf.exe
- Size
  
  1.3MB
- MD5
  
  38f21e75ff73996220385c651b977d13
- SHA1
  
  c46c478a05c788c60abccf265d58de93115da221
- SHA256
  
  0580f2e1a63c8db40f25570a673b1620d753d28f55101dd5f9d8270755d69261
- SHA512
  
  28cbaa62ddc069ec325a61bdb585be6ef76265f9ee1fb75560e19ed99fa429387b488217942fc1e7c1393cefc7546d82abbe63f02ad321d90b31a5682ba1a069
Score

10^/10

xpertrat collection evasion persistence rat trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- Adds policy Run key to start application
  persistence
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Program crash
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xpertratcollectionevasionpersistencerattrojan

behavioral2