General
-
Target
aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0_JC.doc
-
Size
92KB
-
Sample
231012-pc3f6sbf34
-
MD5
87dc64cd0d2d13f4897619c008540bcb
-
SHA1
7f191350095893ebc3e1aa0e9e79dc083961e697
-
SHA256
aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0
-
SHA512
09e5d4f84ee2da4306cd4ddc97bebec6071b075e236ef861149daf30ae156d7e0b6f6882926eb7e0f841988424e07d283f505d9de4d91955e1f305961b05b755
-
SSDEEP
768:ewAbZSibMX9gRWjFrOxpo0gcdOSY04ttpVtocQWILLIYGYsTqcmtDU9YHL:ewAlRQKxmidnY04ttpXoeyhGYsVmtYUL
Static task
static1
Behavioral task
behavioral1
Sample
aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0_JC.rtf
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0_JC.rtf
Resource
win10v2004-20230915-en
Malware Config
Extracted
xpertrat
3.0.10
STRIGIO
sandshoe.myfirewall.org:5344
I8N3F0X7-G4E2-P2S0-T0D7-R1N2H5T660I4
Targets
-
-
Target
aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0_JC.doc
-
Size
92KB
-
MD5
87dc64cd0d2d13f4897619c008540bcb
-
SHA1
7f191350095893ebc3e1aa0e9e79dc083961e697
-
SHA256
aee43496026aadd3bb0884c7fcd200758fde8c35940f0745628f4a0f480923c0
-
SHA512
09e5d4f84ee2da4306cd4ddc97bebec6071b075e236ef861149daf30ae156d7e0b6f6882926eb7e0f841988424e07d283f505d9de4d91955e1f305961b05b755
-
SSDEEP
768:ewAbZSibMX9gRWjFrOxpo0gcdOSY04ttpVtocQWILLIYGYsTqcmtDU9YHL:ewAlRQKxmidnY04ttpXoeyhGYsVmtYUL
-
XpertRAT Core payload
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2