MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 187cd525a046dd304b15ad47a1f8923546cc97a21afae5a2344cf8cac5c5b550. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 187cd525a046dd304b15ad47a1f8923546cc97a21afae5a2344cf8cac5c5b550
SHA3-384 hash: 7143a3d8b827f799528a742ec6660caeb6f8a4e988a1e0aadb50c09ccb2022fc2b5b6fdfb9b5cea7b24804e704011b78
SHA1 hash: 6ca6c3d3fe0b5826c6b3d82144ab745bea2226f7
MD5 hash: a46cbc94fc5553868d63469acad6747f
humanhash: november-florida-blue-pip
File name:SecuriteInfo.com.ArtemisTrojan.29409
Download: download sample
Signature XpertRAT
Create hunting rule
File size:1'061'432 bytes
First seen:2020-11-25 13:40:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:wpUaGTywWYfiFBAj+T4OXHdIYRs5QLcVRWqS8gbVKpN5ycpbS2L7d2A48DRmBQeY:RaGTywWYfiFBAj+T409ON5ycpbS2L7dF
Threatray 4'828 similar samples on MalwareBazaar
TLSH 1D35C510B3FD961DF6F76FB8BD71D95908B6BE766812C25C1918118F08B6F409A32B32
Reporter SecuriteInfoCom
Tags:XpertRAT

Code Signing Certificate

Organisation:Cdeefdcabcffbdbafaabefdeebeec
Issuer:Cdeefdcabcffbdbafaabefdeebeec
Algorithm:sha256WithRSAEncryption
Valid from:Nov 25 05:36:49 2020 GMT
Valid to:Nov 25 05:36:49 2021 GMT
Serial number: A9B6947C3BAE6BDBB9D835CCBCC2CC4D
Thumbprint Algorithm:SHA256
Thumbprint: 6B31AB48869643510C52E1D391312DF9DABB5F225C636A88D56AC8B739B5CBAF
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/105635/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
DNS request
Creating a file
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Connection attempt
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Blocking the User Account Control
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/546978
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Detected unpacking (creates a PE file in dynamic memory)
Disables user account control notifications
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected Generic Dropper
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322588 Sample: SecuriteInfo.com.ArtemisTro... Startdate: 25/11/2020 Architecture: WINDOWS Score: 100 60 zytriew.duckdns.org 2->60 62 papertyy.duckdns.org 2->62 64 2 other IPs or domains 2->64 78 Malicious sample detected (through community Yara rule) 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected XpertRAT 2->82 84 3 other signatures 2->84 9 SecuriteInfo.com.ArtemisTrojan.exe 15 3 2->9         started        14 J0X3M1G4-A0Q6-T8A5-M5I7-G224Y4X0N7E0.exe 14 3 2->14         started        16 J0X3M1G4-A0Q6-T8A5-M5I7-G224Y4X0N7E0.exe 2 2->16         started        18 J0X3M1G4-A0Q6-T8A5-M5I7-G224Y4X0N7E0.exe 2->18         started        signatures3 process4 dnsIp5 72 hastebin.com 104.24.126.89, 443, 49720, 49740 CLOUDFLARENETUS United States 9->72 74 192.168.2.1 unknown unknown 9->74 58 C:\...\SecuriteInfo.com.ArtemisTrojan.exe.log, ASCII 9->58 dropped 98 Detected unpacking (creates a PE file in dynamic memory) 9->98 20 SecuriteInfo.com.ArtemisTrojan.exe 1 1 9->20         started        23 timeout.exe 1 9->23         started        76 104.24.127.89, 443, 49738, 49743 CLOUDFLARENETUS United States 14->76 100 Injects a PE file into a foreign processes 14->100 25 timeout.exe 1 14->25         started        27 J0X3M1G4-A0Q6-T8A5-M5I7-G224Y4X0N7E0.exe 14->27         started        29 timeout.exe 1 16->29         started        31 J0X3M1G4-A0Q6-T8A5-M5I7-G224Y4X0N7E0.exe 16->31         started        33 timeout.exe 18->33         started        35 J0X3M1G4-A0Q6-T8A5-M5I7-G224Y4X0N7E0.exe 18->35         started        file6 signatures7 process8 signatures9 86 Changes security center settings (notifications, updates, antivirus, firewall) 20->86 88 Disables user account control notifications 20->88 90 Writes to foreign memory regions 20->90 92 2 other signatures 20->92 37 iexplore.exe 3 7 20->37         started        42 iexplore.exe 20->42         started        44 conhost.exe 23->44         started        46 conhost.exe 25->46         started        48 conhost.exe 29->48         started        50 conhost.exe 33->50         started        process10 dnsIp11 66 zytriew.duckdns.org 195.140.214.82, 4145, 49723, 49725 BANDWIDTH-ASGB United Kingdom 37->66 68 papertyy.duckdns.org 37->68 70 ghytrty.duckdns.org 37->70 54 J0X3M1G4-A0Q6-T8A5-M5I7-G224Y4X0N7E0.exe, PE32 37->54 dropped 56 C:\...\J0X3M1G4-A0Q6-T8A5-M5I7-G224Y4X0N7E0, data 37->56 dropped 94 Creates an undocumented autostart registry key 37->94 96 Creates autostart registry keys with suspicious names 37->96 52 WerFault.exe 42->52         started        file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/187cd525a046dd304b15ad47a1f8923546cc97a21afae5a2344cf8cac5c5b550/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-25 10:49:34 UTC
File Type:
PE (.Net Exe)
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=db6nkjnai3otasyvvvd2d6esgvdmzf5cdl5olirujt4mvrofwvia._file
Verdict:
malicious
Similar samples:
13c555d2bc29bc384b7c496c0aefadfbe38d7b415e11c43bdbcfdf702062d1f3
XpertRAT
15b394d8f614faf02d551b0034f2882c052587d717fd4e0966919aeaf1e7ae87
XpertRAT
1dce14c664bb75e2552cafda4d35fa2f5ad0005ee0013adf4b673cd0688aa443
XpertRAT
277ad2e30607538075324d56c194f6256f2a37245f952038d709f237545bf0f1
XpertRAT
8963180e8b2e7e51c5abd716e7a562ad010f663c41a38015ad2566231a7da9af
XpertRAT
9666c06b6da42bc3cc7ae265a46cd4d137c74a1be711151efe9a44c31a894a78
XpertRAT
bb19d9c9c18233bf65768ed3534766ae87ada589f6223d015c47d5e4c2523d64
XpertRAT
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
XpertRAT
ea816a801d2882a3da04ae2b9ac3e20e0959a95d18dfb17c55bb786b3ba2c743
XpertRAT
efa7f245a35c85568d26690f149f992e77c007fa1fbb7c2f4f050cea7fcca930
XpertRAT
+ 4'818 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:xpertrat evasion persistence rat trojan
Link:
https://tria.ge/reports/201125-m9haf868je/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Windows security modification
Adds policy Run key to start application
UAC bypass
Windows security bypass
XpertRAT
XpertRAT Core Payload
Unpacked files
SH256 hash:
187cd525a046dd304b15ad47a1f8923546cc97a21afae5a2344cf8cac5c5b550
MD5 hash:
a46cbc94fc5553868d63469acad6747f
SHA1 hash:
6ca6c3d3fe0b5826c6b3d82144ab745bea2226f7
Link:
https://www.unpac.me/results/b732e5c5-5b49-4ac1-a1f9-8b0f156d3ba4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/187cd525a046dd304b15ad47a1f8923546cc97a21afae5a2344cf8cac5c5b550

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:win_xpertrat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XpertRAT

Executable exe 187cd525a046dd304b15ad47a1f8923546cc97a21afae5a2344cf8cac5c5b550

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/852875/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105635/

Comments