xpertrat | 2244-16-0x0000000000400000-0x0000000000443000-memory[.]dmp | Triage

Sharing

General

Target

2244-16-0x0000000000400000-0x0000000000443000-memory.dmp
Size

268KB
MD5

21269701cf0d489430f113e635f5ff81
SHA1

b36bd800222d19d6086bbb3418dadb9e467a1297
SHA256

5da0479b3fff8180673c97b47682cb6a65417402b7e5b94648fae1d399fc3145
SHA512

b90b86c12898a64583933b7a4f7964f7d871a55e79fc22ef7f1072b9fc2872e5c8dbff0dbee8621b8ca979cb4b7025b4a16c00eaa02fcc7337375fb54c78f49d
SSDEEP

3072:Q4evOVoI9v0QhO3UZuGAT1PFluuXD5FNof9ziCl7xJMJa/Z6CNvS+xkE2:7rh0hFtFe9mCBsJaci6+a

Score

10^/10

blaze xpertrat

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

BLAZE

C2

twart.myfirewall.org:5344

Mutex

A6G228Q5-H8G1-F1T6-U4K6-C1J007E2X0Y8

Signatures

XpertRAT Core payload 1 IoCs

Processes:

resource yara_rule

sample xpertrat
Xpertrat family
xpertrat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
2244-16-0x0000000000400000-0x0000000000443000-memory.dmp

Files

2244-16-0x0000000000400000-0x0000000000443000-memory.dmp
.exe windows:4 windows x86 arch:x86

237ca8bf125d5d9e5ef0f3b7aae627ff

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ole32

IIDFromString

msvbvm60

EVENT_SINK_GetIDsOfNames
MethCallEngine
EVENT_SINK_Invoke
ord516
ord518
ord626
ord519
ord660
ord553
ord661
ord666
ord667
Zombie_GetTypeInfo
ord669
ord593
ord300
ord594
ord301
ord598
ord599
ord306
ord520
ord307
ord521
ord523
ord709
ord631
ord632
ord525
EVENT_SINK_AddRef
ord527
ord528
ord529
DllFunctionCall
ord563
Zombie_GetTypeInfoCount
EVENT_SINK_Release
ord600
ord601
EVENT_SINK_QueryInterface
__vbaExceptHandler
ord710
ord711
ord712
ord713
ord606
ord607
ord608
ord531
ord716
ord717
ord319
ProcCallEngine
ord535
ord536
ord537
ord644
ord538
ord645
ord570
ord648
ord572
Zombie_AddRef
ord681
ord576
ord577
ord578
ord685
ord100
ord579
ord320
ord321
ord616
ord617
ord618
ord619
ord542
ord650
ord543
ord544
ord545
ord546
ord547
ord580
ord581

Sections

.text
Size: 244KB - Virtual size: 242KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ