General

  • Target

    6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754

  • Size

    724KB

  • Sample

    220725-dtalyacffq

  • MD5

    61234732aaee3b52d2a921c61f4a5ca0

  • SHA1

    af3b4b38706e62632d33ed46c14db107b2e86087

  • SHA256

    6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754

  • SHA512

    c5db3da3a615f95caed497d86d2582145f1b31e9effd2c16976a55adb12f9f74acd78a728f9f8fda791199f6675dc6b6f388e7465d3d1f89f45dac674d2ab6c5

Malware Config

Targets

    • Target

      6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754

    • Size

      724KB

    • MD5

      61234732aaee3b52d2a921c61f4a5ca0

    • SHA1

      af3b4b38706e62632d33ed46c14db107b2e86087

    • SHA256

      6907f16f7d1e603081bd0252d87947ad80af921222626c521b9b0f2202ebd754

    • SHA512

      c5db3da3a615f95caed497d86d2582145f1b31e9effd2c16976a55adb12f9f74acd78a728f9f8fda791199f6675dc6b6f388e7465d3d1f89f45dac674d2ab6c5

    • UAC bypass

    • Windows security bypass

    • XpertRAT

      XpertRAT is a remote access trojan with various capabilities.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks