MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 006c01ecec6a14ad6038b988764b9cebc4f75cdccd4ccedc5b962bdd3cc994bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 006c01ecec6a14ad6038b988764b9cebc4f75cdccd4ccedc5b962bdd3cc994bd
SHA3-384 hash: 9050aed6ed6f2525efcb2657a82377fb732eb6519435444725bfcbf6becf128510b20802ea628eb5cb21ed17fb28086a
SHA1 hash: 5258f988f0cc83f8b2e5eacff773ff6bcd7f6723
MD5 hash: ba9886e0e02c68c21664cca831d6334a
humanhash: sad-cat-cardinal-uniform
File name:03-07-2020_Hitachi Compressor_spare parts for Adsoption AC 220, spare parts for RENNER RS 45-15TI6yyuqxmiPlmQKpdf.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:764'416 bytes
First seen:2020-08-13 08:25:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:fm0xYtjF+j4VBJe6hWhgldLLxSHIFJo/7gYvItpZSW+1y6nnjqKoe:fmAYtjIYJeNgldLLxS3/cYM76nnjqKoe
Threatray 348 similar samples on MalwareBazaar
TLSH E8F4BF6337848998CF6D0DF66217404023B5ACBFDB18D60D6FC932965EFABB12512B1B
Reporter abuse_ch
Tags:exe geo nVpn RAT THA XpertRAT


Avatar
abuse_ch
Malspam distributing XpertRAT:

HELO: server.kibriswebtasarimi.com
Sending IP: 176.9.21.149
From: n-naphutsakorn@hctl.hitachi-asia.com
Subject: Confirm ใบสั่งซื้อ PO # AK070144 - Hitachi compressor
Attachment: 03-07-2020_Hitachi Compressor_spare parts for Adsoption AC 220, spare parts for RENNER RS 45-15TI6yy (contains "03-07-2020_Hitachi Compressor_spare parts for Adsoption AC 220, spare parts for RENNER RS 45-15TI6yyuqxmiPlmQKpdf.exe")

XpertRAT C2:
194.5.98.159:3456

Hosted on nVpn:

% Information related to '194.5.98.0 - 194.5.98.255'

% Abuse contact for '194.5.98.0 - 194.5.98.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.98.0 - 194.5.98.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU6
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-04-26T16:42:54Z
last-modified: 2020-07-30T03:41:26Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44961/
Detection(s):
SecuriteInfo.com.Variant.Ursu.479710.29104.3219.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Deleting a recently created file
Replacing files
Reading critical registry keys
Unauthorized injection to a recently created process
Blocking the User Account Control
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun
Deleting of the original file
Result
Threat name:
XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/425455
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Deletes itself after installation
Detected unpacking (creates a PE file in dynamic memory)
Disables UAC (registry)
Disables user account control notifications
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Generic Dropper
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 265292 Sample: PlmQKpdf.exe Startdate: 14/08/2020 Architecture: WINDOWS Score: 100 53 Malicious sample detected (through community Yara rule) 2->53 55 Yara detected XpertRAT 2->55 57 Yara detected AntiVM_3 2->57 59 3 other signatures 2->59 8 PlmQKpdf.exe 3 2->8         started        12 L3Q7I4T2-J8A6-L6O4-W4G3-U5J7D0W2W5E0.exe 3 2->12         started        14 L3Q7I4T2-J8A6-L6O4-W4G3-U5J7D0W2W5E0.exe 2 2->14         started        16 L3Q7I4T2-J8A6-L6O4-W4G3-U5J7D0W2W5E0.exe 2 2->16         started        process3 file4 43 C:\Users\user\AppData\...\PlmQKpdf.exe.log, ASCII 8->43 dropped 71 Detected unpacking (creates a PE file in dynamic memory) 8->71 73 Injects a PE file into a foreign processes 8->73 18 PlmQKpdf.exe 1 1 8->18         started        21 PlmQKpdf.exe 8->21         started        75 Machine Learning detection for dropped file 12->75 23 L3Q7I4T2-J8A6-L6O4-W4G3-U5J7D0W2W5E0.exe 1 12->23         started        25 L3Q7I4T2-J8A6-L6O4-W4G3-U5J7D0W2W5E0.exe 12->25         started        27 L3Q7I4T2-J8A6-L6O4-W4G3-U5J7D0W2W5E0.exe 14->27         started        29 L3Q7I4T2-J8A6-L6O4-W4G3-U5J7D0W2W5E0.exe 1 16->29         started        signatures5 process6 signatures7 61 Changes security center settings (notifications, updates, antivirus, firewall) 18->61 63 Disables user account control notifications 18->63 65 Writes to foreign memory regions 18->65 67 3 other signatures 18->67 31 iexplore.exe 3 7 18->31         started        process8 dnsIp9 45 194.5.98.159, 3456, 49720, 49722 DANILENKODE Netherlands 31->45 39 L3Q7I4T2-J8A6-L6O4-W4G3-U5J7D0W2W5E0.exe, PE32 31->39 dropped 41 C:\...\L3Q7I4T2-J8A6-L6O4-W4G3-U5J7D0W2W5E0, data 31->41 dropped 47 Creates an undocumented autostart registry key 31->47 49 Creates autostart registry keys with suspicious names 31->49 51 Writes to foreign memory regions 31->51 36 notepad.exe 31->36         started        file10 signatures11 process12 signatures13 69 Deletes itself after installation 36->69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/006c01ecec6a14ad6038b988764b9cebc4f75cdccd4ccedc5b962bdd3cc994bd/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-13 08:27:04 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=abwad3hmnikk2ybyxgehms445pcpoxg4zvgm5xc3syv52pgjss6q._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
12f341bc0f65e96848b4dd440afc7f653e883e740adcb677fc4f8b5ba5c38ef2
XpertRAT
13c555d2bc29bc384b7c496c0aefadfbe38d7b415e11c43bdbcfdf702062d1f3
XpertRAT
2b8072cf7b0c14a4f9c662d66cf5f6a64c7defb73fb6b0fcc9cd5d32ff004101
XpertRAT
4aff31bec64048fdf3913ac6ac61d5670cc351a3054500e6dcf25779b1a2e54b
XpertRAT
9666c06b6da42bc3cc7ae265a46cd4d137c74a1be711151efe9a44c31a894a78
XpertRAT
a2afda47f4169023bca3c730a48e58d6c40e84236b959a871e883ded3304d5fb
XpertRAT
ada06fa53bcebf55db1efd74571846489efb56f71f3e8283e157e78c69da8ee4
XpertRAT
bd2bf7c79dda8208f9ec0c2199d1ec61058aa43bbe6f8548623444fc143a3aec
XpertRAT
d87c321887e33a1f90a29b21be81459835a725d9a056916b1cafaaacc06169f5
XpertRAT
efa7f245a35c85568d26690f149f992e77c007fa1fbb7c2f4f050cea7fcca930
XpertRAT
+ 338 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan persistence
Link:
https://tria.ge/reports/200813-3h7j1yc4ca/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Adds Run key to start application
Checks whether UAC is enabled
Deletes itself
Windows security modification
Deletes itself
Windows security modification
Adds policy Run key to start application
Adds policy Run key to start application
UAC bypass
Windows security bypass
UAC bypass
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/006c01ecec6a14ad6038b988764b9cebc4f75cdccd4ccedc5b962bdd3cc994bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_xpertrat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XpertRAT

rar c18e32f62749b4a7301ce9013e3487ad4a98449d8ee80d813c11e21f9f3648ec

XpertRAT

Executable exe 006c01ecec6a14ad6038b988764b9cebc4f75cdccd4ccedc5b962bdd3cc994bd

(this sample)

  
Dropped by
MD5 36846cbd6f90ab1c9d6558b9636d5ece
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/44961/
  
Dropped by
SHA256 c18e32f62749b4a7301ce9013e3487ad4a98449d8ee80d813c11e21f9f3648ec

Comments