MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 276963ec4efb403c18a96f94786c7b9f775a1bb22169636d8f594241288df9d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 276963ec4efb403c18a96f94786c7b9f775a1bb22169636d8f594241288df9d3
SHA3-384 hash: f496b05dd9abeee6c74d379119a31acaad6bac59b4dc5ec5a50377e6490d02a54071814f1d67a9618c9ec04b947b8db9
SHA1 hash: b9943156ba008c49589df08a936f213ecdf52729
MD5 hash: 7fdc62d82d767e18af6869c620a52cd1
humanhash: arizona-robert-seven-harry
File name:RFQ 13970 DT.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:549'376 bytes
First seen:2020-06-04 07:14:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:QDY1hJG0fFgNfr2KIHumCK+7qx3vBQSP4Nbrky/To93c5UFOVdTL:Zf612bC
Threatray 1'544 similar samples on MalwareBazaar
TLSH EDC4299C722072EFC85BD472DAA82D68EA61747B831F4607902715EDEE0C997CF244F2
Reporter abuse_ch
Tags:exe XpertRAT


Avatar
abuse_ch
Malspam distributing XpertRAT:

HELO: server.kibriswebtasarimi.com
Sending IP: 176.9.21.149
From: kavita_d@hindustancopper.com
Subject: CLARRIFICATION RFQ 13970 DT.02 / 03/2020 DUE DT.17 / 05/2020
Attachment: RFQ 13970 DT.gz (contains "RFQ 13970 DT.exe")

XpertRAT C2:
79.134.225.85:3135

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 07:22:09 UTC
AV detection:
26 of 48 (54.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5uwh3co7nadygfjn6khq3d3t53vug5sefuwg3mplfbecken7hjq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
206ffd0bd61efa5d7555466690e7e20ee7bcf6f8e45323bb1bb01b85073bc77b
XpertRAT
2634fb80e3aae92bb4b0fa252d7be8242629a9dbcd14301b0002e8d1bfc8b420
XpertRAT
5ed34087532263b2a7797a258fadc6d243e1eaedc7bcd2860fbb7ee2e1e6306c
XpertRAT
7248d0601627171f4663a14d2e7ca4d80dc8060cd8e126ff18b53d9139b5e423
XpertRAT
898fb94bb9fb9894ad31a2c4eec424aa0de35cfe8fb97f9da0914105d397ea3f
XpertRAT
95f69b9685e5b4cb229d4f95a60d9e50b09496d84afea57a56d766cbe6d767de
XpertRAT
960bdf7b7b3bd263fcd5aa32f4b0ddb567349d46f6d5062a8000981675bffe6f
XpertRAT
c43664e2b2ec5c1f4d836f46e2e13452a4d717b8cfd39bd3deceba6bac70d45f
XpertRAT
e245394d284c52b53c088927f7548cccff63b0bdc36427c1e4f6f66edc3153bd
XpertRAT
f0d974877788d51cac1ed85bc88b5a91ec314d44ce32893c0fa676bbad300fa5
XpertRAT
+ 1'534 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:xpertrat evasion persistence rat rezer0 trojan
Link:
https://tria.ge/reports/201109-v9ndalt5kj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Windows security modification
Adds policy Run key to start application
rezer0
UAC bypass
Windows security bypass
XpertRAT
XpertRAT Core Payload
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_xpertrat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XpertRAT

gz 192f3ed9b0e879269fee5997c9d5fbb215a8747f872cce81132e2811d12d5684

XpertRAT

Executable exe 276963ec4efb403c18a96f94786c7b9f775a1bb22169636d8f594241288df9d3

(this sample)

  
Dropped by
MD5 cb0be933c6bc24c71258767f1dc58ee5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 192f3ed9b0e879269fee5997c9d5fbb215a8747f872cce81132e2811d12d5684

Comments