MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4aff31bec64048fdf3913ac6ac61d5670cc351a3054500e6dcf25779b1a2e54b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4aff31bec64048fdf3913ac6ac61d5670cc351a3054500e6dcf25779b1a2e54b
SHA3-384 hash: a8ce03bf71827399bc5c0183fb2b1f785c466f6058bf82f312b2e7ee013a956884058c43a7d0aeab5ee15f81b48bfcde
SHA1 hash: b82b2dee70fc6aaf8f50d4a033ba788c715672b5
MD5 hash: 0e2c2bd413569d6d380c8c54902b4af6
humanhash: arkansas-triple-nine-rugby
File name:AMS20_GeneralBrochureEN_web_pdf.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:991'744 bytes
First seen:2020-08-04 07:00:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:UHcPgYxmOE+2Do4pPeRH89fS82biqFEj8XmKfRWnq9MrvI/bS2hYThe2fDVu0u:ZIYxPeVZlA8SLFe8/wnqHThKheIVz
Threatray 361 similar samples on MalwareBazaar
TLSH 7125AEC1E140DDA0E829053A8832D9650B37AE2FEE91461B34DCB51977F338769BAF47
Reporter abuse_ch
Tags:exe nVpn RAT XpertRAT


Avatar
abuse_ch
Malspam distributing XpertRAT:

HELO: server.kibriswebtasarimi.com
Sending IP: 176.9.21.149
From: Jenny Chuang <Jenny.Chuang@hongkong.messefrankfurt.com>
Subject: Greetings from Automechanika Shanghai 2-5 December 2020
Attachment: AMS20_GeneralBrochureEN_web_pdf.r00 (contains "AMS20_GeneralBrochureEN_web_pdf.exe")

XpertRAT C2:
185.165.153.49:3456

Hosted on nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU2
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-28T20:37:37Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38237/
Detection(s):
Win.Trojan.Hzzv-7433640-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Deleting a recently created file
Replacing files
Reading critical registry keys
Unauthorized injection to a recently created process
Blocking the User Account Control
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun
Deleting of the original file
Result
Threat name:
MailPassView XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408718
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Deletes itself after installation
Detected unpacking (creates a PE file in dynamic memory)
Disables UAC (registry)
Disables user account control notifications
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Generic Dropper
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256599 Sample: AMS20_GeneralBrochureEN_web... Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Yara detected MailPassView 2->62 64 Yara detected XpertRAT 2->64 66 6 other signatures 2->66 9 AMS20_GeneralBrochureEN_web_pdf.exe 1 2->9         started        13 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 1 2->13         started        15 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 2->15         started        17 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 2->17         started        process3 file4 56 AMS20_GeneralBrochureEN_web_pdf.exe.log, ASCII 9->56 dropped 82 Detected unpacking (creates a PE file in dynamic memory) 9->82 84 Injects a PE file into a foreign processes 9->84 19 AMS20_GeneralBrochureEN_web_pdf.exe 1 1 9->19         started        22 AMS20_GeneralBrochureEN_web_pdf.exe 9->22         started        86 Machine Learning detection for dropped file 13->86 88 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 13->88 24 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 1 13->24         started        26 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 1 15->26         started        28 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 15->28         started        30 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 17->30         started        signatures5 process6 signatures7 74 Changes security center settings (notifications, updates, antivirus, firewall) 19->74 76 Disables user account control notifications 19->76 78 Disables UAC (registry) 19->78 32 iexplore.exe 3 9 19->32         started        37 WerFault.exe 22->37         started        process8 dnsIp9 58 185.165.153.49, 3456, 49728, 49729 DAVID_CRAIGGG Netherlands 32->58 52 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe, PE32 32->52 dropped 54 C:\...\L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7, data 32->54 dropped 68 Creates an undocumented autostart registry key 32->68 70 Creates autostart registry keys with suspicious names 32->70 72 Writes to foreign memory regions 32->72 39 notepad.exe 32->39         started        42 iexplore.exe 32->42         started        44 iexplore.exe 32->44         started        46 6 other processes 32->46 file10 signatures11 process12 signatures13 80 Deletes itself after installation 39->80 48 WerFault.exe 42->48         started        50 WerFault.exe 44->50         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4aff31bec64048fdf3913ac6ac61d5670cc351a3054500e6dcf25779b1a2e54b/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 07:01:08 UTC
AV detection:
35 of 48 (72.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jl7tdpwgibep344rhldkyyovm4gmgundavcqbzw46jlxtmnc4vfq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
emotet
Create hunting rule
Similar samples:
006c01ecec6a14ad6038b988764b9cebc4f75cdccd4ccedc5b962bdd3cc994bd
XpertRAT
12f341bc0f65e96848b4dd440afc7f653e883e740adcb677fc4f8b5ba5c38ef2
XpertRAT
13c555d2bc29bc384b7c496c0aefadfbe38d7b415e11c43bdbcfdf702062d1f3
XpertRAT
2b8072cf7b0c14a4f9c662d66cf5f6a64c7defb73fb6b0fcc9cd5d32ff004101
XpertRAT
9666c06b6da42bc3cc7ae265a46cd4d137c74a1be711151efe9a44c31a894a78
XpertRAT
a2afda47f4169023bca3c730a48e58d6c40e84236b959a871e883ded3304d5fb
XpertRAT
ada06fa53bcebf55db1efd74571846489efb56f71f3e8283e157e78c69da8ee4
XpertRAT
bd2bf7c79dda8208f9ec0c2199d1ec61058aa43bbe6f8548623444fc143a3aec
XpertRAT
d87c321887e33a1f90a29b21be81459835a725d9a056916b1cafaaacc06169f5
XpertRAT
efa7f245a35c85568d26690f149f992e77c007fa1fbb7c2f4f050cea7fcca930
XpertRAT
+ 351 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200804-25zpr3gc32/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Reads user/profile data of web browsers
Deletes itself
Windows security modification
Adds policy Run key to start application
UPX packed file
UAC bypass
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4aff31bec64048fdf3913ac6ac61d5670cc351a3054500e6dcf25779b1a2e54b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_xpertrat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XpertRAT

r00 bd8aa68952c051639ca9e417e70d5d776643dfdaa3d01efedb1ae294173a8c87

XpertRAT

Executable exe 4aff31bec64048fdf3913ac6ac61d5670cc351a3054500e6dcf25779b1a2e54b

(this sample)

  
Dropped by
MD5 342457bb165a39b5ee211f8ac5419fc1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bd8aa68952c051639ca9e417e70d5d776643dfdaa3d01efedb1ae294173a8c87
Cape
Cape
https://www.capesandbox.com/analysis/38237/

Comments