MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18919b2621fa34a4d1ba698fb8ec198f6fceb6fa904e0287574f5774a69d2ba2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XpertRAT

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	18919b2621fa34a4d1ba698fb8ec198f6fceb6fa904e0287574f5774a69d2ba2
SHA3-384 hash:	aa46ebfa63442693b42c54ec8cb92707e955984234004f8b3b0d12536037b75b0ea2f51eb2c5ca8767dffa353d489025
SHA1 hash:	eeed338d3f10bfe035f82528348cde2bdf9c941b
MD5 hash:	0726be5c1522de6e13e544e1aea0ec36
humanhash:	magazine-freddie-queen-michigan
File name:	WaybillDoc_9910812295.zip
Download:	download sample
Signature	XpertRAT Create hunting rule
File size:	375'790 bytes
First seen:	2020-07-29 05:21:07 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	6144:TXRwU9ETjrGkp7z/o7OIBsWR2kZi/3+HG5Oabpasgn0xDjezTdx0jg5aiFfM5RR:T/9+uoX/BIB5skZS0eOatasg0ZjeVx0F
TLSH	D484233D06904C406E8EE061DB616EA5FA40BB787CC3D86A155BB359ACF23F396C560D
Reporter	abuse_ch
Tags:	nVpn RAT XpertRAT zip

abuse_ch

Malspam distributing XpertRAT:

HELO: server.kibriswebtasarimi.com
Sending IP: 176.9.21.149
From: DHL EXPRESS <notice@dhl.com>
Subject: SHOWS Waybill
Attachment: WaybillDoc_9910812295.zip (contains "WaybillDoc_9910812295.exe")

XpertRAT C2:
194.5.99.136:3135
79.134.225.85:3135

Hosted on nVpn:

% Information related to '194.5.99.0 - 194.5.99.255'

% Abuse contact for '194.5.99.0 - 194.5.99.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.99.0 - 194.5.99.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU6
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-07-20T20:42:53Z
last-modified: 2020-07-28T21:06:37Z
source: RIPE

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE