General

  • Target

    gunzipped.exe

  • Size

    619KB

  • Sample

    220513-km65wsghel

  • MD5

    5a31075c7e2eede32b52b7e32d16f560

  • SHA1

    1b0325131df5e081f802f907246da4f2331d60c0

  • SHA256

    d6d4f87e9126bf6792e3774f73f9c15e308328bca3f8fcef5f5d943a0904e137

  • SHA512

    d785092dd4cc6ef921c3f5f8146412ae1e4fd0891ed1493c72801f31adfc3b80aac258021d6c7fe97f03e52180f92349a00a3781581801748fad7339fc13bb1d

Malware Config

Targets

    • Target

      gunzipped.exe

    • Size

      619KB

    • MD5

      5a31075c7e2eede32b52b7e32d16f560

    • SHA1

      1b0325131df5e081f802f907246da4f2331d60c0

    • SHA256

      d6d4f87e9126bf6792e3774f73f9c15e308328bca3f8fcef5f5d943a0904e137

    • SHA512

      d785092dd4cc6ef921c3f5f8146412ae1e4fd0891ed1493c72801f31adfc3b80aac258021d6c7fe97f03e52180f92349a00a3781581801748fad7339fc13bb1d

    • UAC bypass

    • Windows security bypass

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Windows security modification

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Program crash

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks