MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 031d0715451f6fda42db9d687361dbf4e516c5b78d59baea74d7c16395115a1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 031d0715451f6fda42db9d687361dbf4e516c5b78d59baea74d7c16395115a1b
SHA3-384 hash: c4bfb137b3c0e819fff66a6016962a281d1b1ec7db28307ec328443a6610b577d11fbc6883d36e65b0c46f58733fdb11
SHA1 hash: 05fbcb17ad8a8bdeadcf4d8b32352c32c2022473
MD5 hash: 64226fc60e7f0289a08997fbbba95bfd
humanhash: twenty-fruit-angel-shade
File name:PO_Quote#202010-13.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:73'176 bytes
First seen:2020-10-13 06:48:00 UTC
Last seen:2020-10-13 08:21:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:vfuYje0nZJzLLUbYx4RGajaRKg7vS8MJqJWJqJXhXccNqUf2h:vfuYZzD4RGki7vMcgUf
Threatray 33 similar samples on MalwareBazaar
TLSH 2E63D01D2E1ACE32DD750730DC8391B4A6F4665EE66F99318ECF49C9F4B12681B43BA0
Reporter abuse_ch
Tags:exe XpertRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gmail.com
Sending IP: 156.96.47.42
From: ACCOUNT - PROCUREMENT <mitul1.timurnetwork@gmail.com>
Subject: 10 :13 SHADEGATE REQUEST QUOTE/PAYMENT (10_13 Rquest Price#202010-13)
Attachment: 10_13 Rquest Price202010-13.zip (contains "PO_Quote#202010-13.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection:
XpertRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70301/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.37022.28084.17589.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
Result
Threat name:
XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489265
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Detected unpacking (creates a PE file in dynamic memory)
Disables user account control notifications
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297079 Sample: PO_Quote#202010-13.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 3 other signatures 2->78 7 PO_Quote#202010-13.exe 15 3 2->7         started        12 K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5.exe 14 2 2->12         started        14 K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5.exe 2->14         started        16 K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5.exe 2 2->16         started        process3 dnsIp4 58 us-east-1.route-1.000webhost.awex.io 145.14.144.201, 443, 49748 AWEXUS Netherlands 7->58 60 acquirable-authoriz.000webhostapp.com 7->60 54 C:\Users\user\...\PO_Quote#202010-13.exe.log, ASCII 7->54 dropped 88 Detected unpacking (creates a PE file in dynamic memory) 7->88 90 Hides threads from debuggers 7->90 92 Injects a PE file into a foreign processes 7->92 94 Contains functionality to hide a thread from the debugger 7->94 18 PO_Quote#202010-13.exe 1 1 7->18         started        21 timeout.exe 1 7->21         started        23 PO_Quote#202010-13.exe 7->23         started        62 145.14.144.43, 443, 49758, 49759 AWEXUS Netherlands 12->62 64 192.168.2.1 unknown unknown 12->64 66 acquirable-authoriz.000webhostapp.com 12->66 96 Antivirus detection for dropped file 12->96 98 Multi AV Scanner detection for dropped file 12->98 25 timeout.exe 1 12->25         started        31 4 other processes 12->31 68 acquirable-authoriz.000webhostapp.com 14->68 27 timeout.exe 14->27         started        33 3 other processes 14->33 70 acquirable-authoriz.000webhostapp.com 16->70 29 timeout.exe 16->29         started        35 2 other processes 16->35 file5 signatures6 process7 signatures8 80 Changes security center settings (notifications, updates, antivirus, firewall) 18->80 82 Disables user account control notifications 18->82 37 iexplore.exe 3 7 18->37         started        42 conhost.exe 21->42         started        44 conhost.exe 25->44         started        46 conhost.exe 27->46         started        48 conhost.exe 29->48         started        process9 dnsIp10 56 sandshoe.myfirewall.org 156.96.47.42, 4000 VDI-NETWORKUS United States 37->56 50 K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5.exe, PE32 37->50 dropped 52 C:\...\K8Q3I007-I4H2-R2V0-W0G8-T1Q3K5W771L5, data 37->52 dropped 84 Creates an undocumented autostart registry key 37->84 86 Creates autostart registry keys with suspicious names 37->86 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/031d0715451f6fda42db9d687361dbf4e516c5b78d59baea74d7c16395115a1b/
Threat name:
ByteCode-MSIL.Trojan.Malrep
Create hunting rule
Status:
Suspicious
First seen:
2020-10-13 02:13:10 UTC
AV detection:
27 of 48 (56.25%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=amoqofkfd5x5uqw3tvuhgyo36tsrnrnxrvm3v2tu27awhfirlinq._file
Verdict:
malicious
Similar samples:
006c01ecec6a14ad6038b988764b9cebc4f75cdccd4ccedc5b962bdd3cc994bd
XpertRAT
08927d7955b1be7fd05d81a73057242117540094dda7cca1c162f3aea18c2854
XpertRAT
0e67a756fae287327df087026a90555ce7c261730aae3d95073164169e8e9d97
XpertRAT
12f341bc0f65e96848b4dd440afc7f653e883e740adcb677fc4f8b5ba5c38ef2
XpertRAT
2b8072cf7b0c14a4f9c662d66cf5f6a64c7defb73fb6b0fcc9cd5d32ff004101
XpertRAT
47230c3bcf570bb50440eee83fb83bebe937489895a2b3fee9805ad675fb239f
XpertRAT
59b88d9a9cc0b316b6cb94cae1e639933685da63bbbfe6c384acfbc11d430aae
XpertRAT
7d90dd1c7420b9b1300ffc653c2465fa6c602f664b2cd0fdf1644a5cdef4954a
XpertRAT
bd2bf7c79dda8208f9ec0c2199d1ec61058aa43bbe6f8548623444fc143a3aec
XpertRAT
ce6a9d0932b32e04de770ffb0083b1078ad11df9b7ca0528f9b391872a6a4db2
XpertRAT
+ 23 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
upx rat family:xpertrat persistence spyware evasion trojan
Link:
https://tria.ge/reports/201013-bv87h3dw1a/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Reads user/profile data of web browsers
Windows security modification
Adds policy Run key to start application
UPX packed file
UAC bypass
Windows security bypass
XpertRAT
XpertRAT Core Payload
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
031d0715451f6fda42db9d687361dbf4e516c5b78d59baea74d7c16395115a1b
MD5 hash:
64226fc60e7f0289a08997fbbba95bfd
SHA1 hash:
05fbcb17ad8a8bdeadcf4d8b32352c32c2022473
Link:
https://www.unpac.me/results/f27f1659-a35e-4b3e-ad3a-54e45990939d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/031d0715451f6fda42db9d687361dbf4e516c5b78d59baea74d7c16395115a1b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XpertRAT

zip 7c754cd4ca154e23d3f9c05930d5fd7c71939a31be2bba0c6259d12e59431ea6

XpertRAT

Executable exe 031d0715451f6fda42db9d687361dbf4e516c5b78d59baea74d7c16395115a1b

(this sample)

  
Dropped by
MD5 f1c46c34066a6195d02cffb0871c3fa6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70301/
  
Dropped by
SHA256 7c754cd4ca154e23d3f9c05930d5fd7c71939a31be2bba0c6259d12e59431ea6

Comments