xpertrat | 1532-80-0x0000000000400000-0x0000000000443000-memory[.]dmp | Triage

Sharing

General

Target

1532-80-0x0000000000400000-0x0000000000443000-memory.dmp
Size

268KB
MD5

f4490fee4229e1df32bb96f965c06fc6
SHA1

69f8b30a5b3a59a80d8bd693b99a85558db24ff3
SHA256

b38a119dca8f075471c1fd509ea86824b6b85405988317b76599f4fbaca94e2e
SHA512

da585f6e1692d8f44096b8236d74970037b40d7fe7a0b5a3afcc45a3226557929c8b62ea384be3d6ad214dc46720354fd420b9880f9326774246a432a2ba5de6
SSDEEP

3072:A4evOVoI9v0QhO3UZuGAT1PFluuXD5FNof9ziCl7xJMJa/Z6CNvS+xke1:rrh0hFtFe9mCBsJaci6+7

Score

10^/10

sales xpertrat

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

sales

C2

103.212.81.159:5134

Mutex

P0U4N118-N5L3-W331-B1K0-Y2V3O6B8B2Q6

Signatures

XpertRAT Core payload 1 IoCs

Processes:

resource yara_rule

sample xpertrat
Xpertrat family
xpertrat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
1532-80-0x0000000000400000-0x0000000000443000-memory.dmp

Files

1532-80-0x0000000000400000-0x0000000000443000-memory.dmp
.exe windows x86

237ca8bf125d5d9e5ef0f3b7aae627ff

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

IIDFromString

msvbvm60

EVENT_SINK_GetIDsOfNames
MethCallEngine
EVENT_SINK_Invoke
ord516
ord518
ord626
ord519
ord660
ord553
ord661
ord666
ord667
Zombie_GetTypeInfo
ord669
ord593
ord300
ord594
ord301
ord598
ord599
ord306
ord520
ord307
ord521
ord523
ord709
ord631
ord632
ord525
EVENT_SINK_AddRef
ord527
ord528
ord529
DllFunctionCall
ord563
Zombie_GetTypeInfoCount
EVENT_SINK_Release
ord600
ord601
EVENT_SINK_QueryInterface
__vbaExceptHandler
ord710
ord711
ord712
ord713
ord606
ord607
ord608
ord531
ord716
ord717
ord319
ProcCallEngine
ord535
ord536
ord537
ord644
ord538
ord645
ord570
ord648
ord572
Zombie_AddRef
ord681
ord576
ord577
ord578
ord685
ord100
ord579
ord320
ord321
ord616
ord617
ord618
ord619
ord542
ord650
ord543
ord544
ord545
ord546
ord547
ord580
ord581

Sections

.text
Size: 244KB - Virtual size: 242KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ