MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2afda47f4169023bca3c730a48e58d6c40e84236b959a871e883ded3304d5fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 3 Yara 2 Comments

SHA256 hash: a2afda47f4169023bca3c730a48e58d6c40e84236b959a871e883ded3304d5fb
SHA3-384 hash: 7f5c53accc49b1f93344f4fa6e3d0c6c070108cc35959b7e1dcf26f628c44f47ec076de8d8929801f72ec8bb9aca0902
SHA1 hash: 7576165f1ce2d81ac9963b72e74e28c9934e3a04
MD5 hash: 7fa2d91fa5382248b2731acc75f003a0
humanhash: september-four-missouri-hotel
File name:AECOM General Presentation.exe
Download: download sample
Signature XpertRAT
File size:321'024 bytes
First seen:2020-06-29 19:26:13 UTC
Last seen:2020-07-06 07:05:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:whcf38DqLx5RvHz6fDvxOZCIUV8/0qPVLs1VBNSO3pBtRJSCZw3c6:hd5Rvz6fbUCq/0upsNT3pBt7SCZH6
TLSH FE64DF1073DEAB2AD5BD83F588B5594407F4BAFE6412E31DADC160CE1E66F860B40E27
Reporter @abuse_ch
Tags:exe XpertRAT


Twitter
@abuse_ch
Malspam distributing XpertRAT:

HELO: vps.gibalto.es
Sending IP: 82.194.93.48
From: aecom <procurement@aecom.com>
Subject: Tender
Attachment: AECOM General Presentation.gz (contains "AECOM General Presentation.exe")

XpertRAT C2:
79.134.225.85:3135

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 2
# of downloads 32
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/16571/
ClamAV No detection
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/a2afda47f4169023bca3c730a48e58d6c40e84236b959a871e883ded3304d5fb/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Kryptik
First seen:2020-06-29 19:28:05 UTC
AV detection:25 of 31 (80.65%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:n/a
Link: https://tria.ge/reports/200629-m7vn6849he/
Tags:evasion trojan persistence spyware
VirusTotal:Virustotal results 13.89%

Yara Signatures


Rule name:win_vobfus_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_xpertrat_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

d838988c3c60359c94e01972f2dd8a18

XpertRAT

Executable exe a2afda47f4169023bca3c730a48e58d6c40e84236b959a871e883ded3304d5fb

(this sample)

  
Dropped by
MD5 d838988c3c60359c94e01972f2dd8a18
  
Delivery method
Distributed via e-mail attachment

Comments