xpertrat | f2926aaea4603961e15c9ac92eb599ddd51bd6e19bd7fded285a1db16753db87 | Triage

Sharing

General

Target

7560b03d9721036181565287e85d9525_JaffaCakes118
Size

1.1MB
Sample

240401-vfw2fsae59
MD5

7560b03d9721036181565287e85d9525
SHA1

447c0d915c9236b5f3221bfbe05e5b57785d3142
SHA256

f2926aaea4603961e15c9ac92eb599ddd51bd6e19bd7fded285a1db16753db87
SHA512

fb38977856b6d4702b1793916c90b0b595dc8881457d6a2a98ba488f80e444314a5e1cdaa0f6a741e6c12b129195fd04f499d84a4cca32386c64fe58ccdfe583
SSDEEP

24576:wLFftZPKgfM82jk4sM7RPPzN6dK3KEf02oaSzFEvtOA:QZPK3DkktYw3ttyzF2tf

Score

10^/10

xpertrat zgrat test evasion persistence rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Targets

- Target
  
  7560b03d9721036181565287e85d9525_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  7560b03d9721036181565287e85d9525
- SHA1
  
  447c0d915c9236b5f3221bfbe05e5b57785d3142
- SHA256
  
  f2926aaea4603961e15c9ac92eb599ddd51bd6e19bd7fded285a1db16753db87
- SHA512
  
  fb38977856b6d4702b1793916c90b0b595dc8881457d6a2a98ba488f80e444314a5e1cdaa0f6a741e6c12b129195fd04f499d84a4cca32386c64fe58ccdfe583
- SSDEEP
  
  24576:wLFftZPKgfM82jk4sM7RPPzN6dK3KEf02oaSzFEvtOA:QZPK3DkktYw3ttyzF2tf
Score

10^/10

xpertrat zgrat test evasion persistence rat trojan
- Detect ZGRat V1
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- XpertRAT Core payload
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Adds policy Run key to start application
  persistence
- Deletes itself
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xpertratzgrattestevasionpersistencerattrojan

behavioral2

xpertratzgrattestevasionpersistencerattrojan