xpertrat | 623836d21130037a5ca69a4517e27020b2633de86a0f8b8d614c2268750881d1 | Triage

Sharing

General

Target

f280eacb46b0ee5c9768d38c8a8ff717_JaffaCakes118
Size

1.1MB
Sample

240922-v7qczs1gpg
MD5

f280eacb46b0ee5c9768d38c8a8ff717
SHA1

347c922cd531bd00c6839738222ea811a8700754
SHA256

623836d21130037a5ca69a4517e27020b2633de86a0f8b8d614c2268750881d1
SHA512

13a90ecf9241f9a4e1fc078e50e6282cb6f15d7cb0c3f152d1013c860b6e4c1da5bff4b54a7450fc7db5644f265d34aca29a047f8eff714259f654b8e8f9c7c3
SSDEEP

24576:wAHnh+eWsN3skA4RV1Hom2KXMmHa7/wQ5tyFYHkMNxOaw5:nh+ZkldoPK8Ya7/7tyFPF

Score

10^/10

xpertrat client x discovery evasion persistence rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Client X

C2

cally.duckdns.org:8775

Mutex

R0W4O1A8-P5N3-Y331-D1M0-B2W4Q6D8D2R6

Targets

- Target
  
  f280eacb46b0ee5c9768d38c8a8ff717_JaffaCakes118
- Size
  
  1.1MB
- MD5
  
  f280eacb46b0ee5c9768d38c8a8ff717
- SHA1
  
  347c922cd531bd00c6839738222ea811a8700754
- SHA256
  
  623836d21130037a5ca69a4517e27020b2633de86a0f8b8d614c2268750881d1
- SHA512
  
  13a90ecf9241f9a4e1fc078e50e6282cb6f15d7cb0c3f152d1013c860b6e4c1da5bff4b54a7450fc7db5644f265d34aca29a047f8eff714259f654b8e8f9c7c3
- SSDEEP
  
  24576:wAHnh+eWsN3skA4RV1Hom2KXMmHa7/wQ5tyFYHkMNxOaw5:nh+ZkldoPK8Ya7/7tyFPF
Score

10^/10

discovery persistence xpertrat client x evasion rat trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- XpertRAT Core payload
- Adds policy Run key to start application
  persistence
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

xpertratclient xdiscoveryevasionpersistencerattrojan