MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d0f4b56524f0e8aa3813ae9f2cdbf5a272167e28f11c3822c95d415347e5ba1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d0f4b56524f0e8aa3813ae9f2cdbf5a272167e28f11c3822c95d415347e5ba1
SHA3-384 hash: c7685193e1c7cbca83c1111d4a9ad9ecf7e5202bfff5969f569fae458bfebc89f2b84042e5f7b1e18363c044729230f7
SHA1 hash: 98ff07105b6e3972f79d9ad872730a2a7da1063d
MD5 hash: 03d11e6b979a69b7ebda725436ab236e
humanhash: music-comet-helium-six
File name:SecuriteInfo.com.Troj.XMLDwn-AS.10120.0
Download: download sample
Signature XpertRAT
Create hunting rule
File size:832'873 bytes
First seen:2020-12-05 11:46:44 UTC
Last seen:Never
File type:Rich Text Format (RTF) rtf
MIME type:text/rtf
ssdeep 3072:9u+SKOxaGhRnm1boAS0SKOxaGhRnm1boAS2vTbXOnHmB31zjdzFDrVRDAw5wfn:A+StocAvStocAZbXOnHwjdzFDhRDAUw/
TLSH 0505A2B108AFD170E5094D0C25A5F4945DB6FFA230CD9CA5E32E5164DF6EEE02FA0A93
Reporter SecuriteInfoCom
Tags:CVE-2017-8570 XpertRAT

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

Intelligence

File Origin
# of uploads :
1
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VB.Trojan.Valyria.3339.27526.26072.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Exp.20178570-B.621.22786.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Troj.XMLDwn-AS.10120.0.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching a process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Changing a file
Creating a file in the Program Files subdirectories
Creating a file in the system32 directory
Launching a service
Connection attempt
Launching the default Windows debugger (dwwin.exe)
Loading a system driver
Sending an HTTP GET request
Blocking the User Account Control
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Forced shutdown of a system process
Launching a file downloaded from the Internet
Enabling autorun
Result
Verdict:
Malicious
File Type:
RTF File
Link:
https://app.docguard.net/1d0f4b56524f0e8aa3813ae9f2cdbf5a272167e28f11c3822c95d415347e5ba1/results/dashboard
Result
Verdict:
MALICIOUS
Result
Threat name:
AveMaria MailPassView XpertRAT
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/556230
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Disables user account control notifications
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Found suspicious RTF objects
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Microsoft Office creates scripting files
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process drops PE file
Powershell drops PE file
Sample uses process hollowing technique
Searches for Windows Mail specific files
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Powershell download and execute file
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AveMaria stealer
Yara detected Generic Dropper
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 327217 Sample: SecuriteInfo.com.Troj.XMLDw... Startdate: 05/12/2020 Architecture: WINDOWS Score: 100 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for dropped file 2->88 90 Sigma detected: Powershell download and execute file 2->90 92 20 other signatures 2->92 10 WINWORD.EXE 310 44 2->10         started        15 A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe 2->15         started        17 A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe 2->17         started        19 2 other processes 2->19 process3 dnsIp4 80 192.3.194.245, 49165, 49166, 49167 AS-COLOCROSSINGUS United States 10->80 66 C:\Users\user\AppData\...\xpertorigin[1].exe, PE32 10->66 dropped 68 C:\Users\user\AppData\Local\...\FLD3B4.tmp, 370 10->68 dropped 70 C:\Users\user\AppData\...\Abctfhghgdghgh .scT, data 10->70 dropped 72 C:\Users\user\AppData\Local\...4288F7F.png, 370 10->72 dropped 124 Document exploit detected (creates forbidden files) 10->124 126 Suspicious powershell command line found 10->126 128 Tries to download and execute files (via powershell) 10->128 136 2 other signatures 10->136 21 powershell.exe 7 10->21         started        23 powershell.exe 7 10->23         started        26 powershell.exe 12 7 10->26         started        30 FLTLDR.EXE 10->30         started        130 Antivirus detection for dropped file 15->130 132 Multi AV Scanner detection for dropped file 15->132 134 Machine Learning detection for dropped file 15->134 file5 signatures6 process7 dnsIp8 32 xpertorigin.exe 8 19 21->32         started        64 C:\Users\user\AppData\...\xpertorigin.exe, PE32 23->64 dropped 37 xpertorigin.exe 1 23->37         started        82 192.3.194.24 AS-COLOCROSSINGUS United States 26->82 118 Suspicious powershell command line found 26->118 120 Tries to download and execute files (via powershell) 26->120 122 Powershell drops PE file 26->122 file9 signatures10 process11 dnsIp12 76 zytriew.duckdns.org 195.140.214.82, 4145, 49276, 49454 BANDWIDTH-ASGB United Kingdom 32->76 78 google.ru 172.217.23.99, 49168, 49169, 49170 GOOGLEUS United States 32->78 56 C:\Users\user\AppData\Roaming\kEhBEJswD.exe, PE32 32->56 dropped 58 C:\Users\user\AppData\...\xpertee[1].exe, PE32 32->58 dropped 60 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 32->60 dropped 62 C:\Windows\System32\rfxvmt.dll, PE32+ 32->62 dropped 94 Hides user accounts 32->94 96 Tries to harvest and steal browser information (history, passwords, etc) 32->96 98 Increases the number of concurrent connection per server for Internet Explorer 32->98 100 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->100 39 kEhBEJswD.exe 1 1 32->39         started        102 Multi AV Scanner detection for dropped file 37->102 104 Contains functionality to inject threads in other processes 37->104 106 Contains functionality to steal Chrome passwords or cookies 37->106 108 Contains functionality to steal e-mail passwords 37->108 file13 signatures14 process15 signatures16 110 Antivirus detection for dropped file 39->110 112 Multi AV Scanner detection for dropped file 39->112 114 Changes security center settings (notifications, updates, antivirus, firewall) 39->114 116 6 other signatures 39->116 42 iexplore.exe 39->42         started        process17 dnsIp18 84 zytriew.duckdns.org 42->84 74 A8O1E003-R4Q1-P8Q3-X4A6-Y2R2V7W0G8T1.exe, PE32 42->74 dropped 138 Creates an undocumented autostart registry key 42->138 140 Creates autostart registry keys with suspicious names 42->140 47 iexplore.exe 42->47         started        50 iexplore.exe 42->50         started        52 iexplore.exe 42->52         started        54 2 other processes 42->54 file19 signatures20 process21 signatures22 142 Searches for Windows Mail specific files 47->142
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d0f4b56524f0e8aa3813ae9f2cdbf5a272167e28f11c3822c95d415347e5ba1/
Threat name:
Document-Office.Exploit.CVE-2017-8570
Create hunting rule
Status:
Malicious
First seen:
2020-12-04 19:18:00 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=duhuwvssj4hivi4bhlu7ftn7litscz7cr4i4harmsxkbknd6loqq._file
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:warzonerat family:xpertrat evasion infostealer persistence rat spyware trojan upx
Link:
https://tria.ge/reports/201205-kfgkcwfgm6/
Behaviour
System policy modification
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
NTFS ADS
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Modifies WinLogon
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Adds policy Run key to start application
Blocklisted process makes network request
Executes dropped EXE
Sets DLL path for service in the registry
UPX packed file
Warzone RAT Payload
Process spawned unexpected child process
UAC bypass
WarzoneRat, AveMaria
Windows security bypass
XpertRAT
XpertRAT Core Payload
Malware Config
Dropper Extraction:
httP://192.3.194.245/xpertorigin.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Exploit
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d0f4b56524f0e8aa3813ae9f2cdbf5a272167e28f11c3822c95d415347e5ba1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Retefe
Create hunting rule
Author:bartblaze
Description:Retefe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments