MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82a737d9ffa6a6c8a53a980473630b8977d326a3a7e96348757a17928debf1fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82a737d9ffa6a6c8a53a980473630b8977d326a3a7e96348757a17928debf1fd
SHA3-384 hash: 999801fdff9886614e0feb3f52502fb7d565efc8f769744e6be83d75fc865d4634d7461ec7514f6a178866bde345e522
SHA1 hash: 4251f04c8e5951673c1ef9cfc60833e6b379d6ad
MD5 hash: 1055a8b756a8bee655054e2490b693e8
humanhash: yankee-monkey-fillet-timing
File name:02 SCRAP BIDDING INVITATION_xlsx.gz
Download: download sample
Signature XpertRAT
Create hunting rule
File size:265'532 bytes
First seen:2020-06-16 15:32:08 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 6144:AeG6gBQgOQq4GLrJEvpfRyZbXl0V9uGorYpVqU21GkNwj61u9K:hG6ga7Qq4GLrJAfRypm9oMCU21GkNwex
TLSH 4A4423374C248EDE73C477369B67DCDB646AFE19382B68215E0D96444F2C0E295AC8CB
Reporter abuse_ch
Tags:gz nVpn RAT XpertRAT


Avatar
abuse_ch
Malspam distributing XpertRAT:

HELO: server.kibriswebtasarimi.com
Sending IP: 176.9.21.149
From: PINAR DELIHASANOGLU <pinar.delihasanoglu@poscoassan.com>
Subject: Posco Assan TST JUNE Steel PipeTender Invitation ( Due Date: 27 july12:00 )
Attachment: 02 SCRAP BIDDING INVITATION_xlsx.gz (contains "02 SCRAP BIDDING INVITATION_xlsx.exe")

XpertRAT C2:
79.134.225.85:3135

Hosted on nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Mal.DrodGzip-A.24540.1423.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 15:34:04 UTC
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkttpwp7u2tmrjj2tachgyylrf35gjvdu7uwgsdvpilzfdpl6h6q._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XpertRAT

gz 82a737d9ffa6a6c8a53a980473630b8977d326a3a7e96348757a17928debf1fd

(this sample)

XpertRAT

Executable exe ada06fa53bcebf55db1efd74571846489efb56f71f3e8283e157e78c69da8ee4

  
Dropping
MD5 dd5e6e486e6facac99576ee8ebfe048b
  
Dropping
XpertRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 ada06fa53bcebf55db1efd74571846489efb56f71f3e8283e157e78c69da8ee4

Comments