MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b8072cf7b0c14a4f9c662d66cf5f6a64c7defb73fb6b0fcc9cd5d32ff004101. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 2 Comments

SHA256 hash: 2b8072cf7b0c14a4f9c662d66cf5f6a64c7defb73fb6b0fcc9cd5d32ff004101
SHA3-384 hash: c86626ba7a6da7d7e17e25ae5c92cb21f3dfc753a4e13942c1284e9bf0f592e8cfad5f96f625fff170ae8637e3ccc97b
SHA1 hash: 3e92a77ad4e208a678d5f0ccdd5bba0a9c08ecbb
MD5 hash: 9ef7a2253f269a14bf170f4a60a97538
humanhash: speaker-fanta-paris-steak
File name:Chemicals Genaral presentation.exe
Download: download sample
Signature XpertRAT
File size:290'816 bytes
First seen:2020-06-30 09:04:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:v/VPsUcpb+BIaUpE9l0NKd2rQYSp9IZZNtIWdreNWwq3FCGSsVS:v/VPs9tvmpMQn6ZPtIIQvqDSsVS
TLSH 2154013422BA1B36D5FDCBB125B050140FF2B54B6261D76D2E9821EE1AF37009A36F93
Reporter @abuse_ch
Tags:exe nVpn RAT XpertRAT


Twitter
@abuse_ch
Malspam distributing XpertRAT:

HELO: vps.gibalto.es
Sending IP: 82.194.93.48
From: procurement <procurement@airproducts.com>
Subject: Tender
Attachment: Chemicals Genaral presentation.gz (contains "Chemicals Genaral presentation.exe")

XpertRAT C2:
79.134.225.85:3135

Hosted on nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 28
Origin country FR FR
CAPE Sandbox Detection:XpertRAT
Link: https://www.capesandbox.com/analysis/17068/
ClamAV SecuriteInfo.com.Generic-EXE.UNOFFICIAL
CERT.PL MWDB Detection:n/a
Link: https://mwdb.cert.pl/sample/2b8072cf7b0c14a4f9c662d66cf5f6a64c7defb73fb6b0fcc9cd5d32ff004101/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Kryptik
First seen:2020-06-30 09:06:06 UTC
AV detection:18 of 31 (58.06%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:n/a
Link: https://tria.ge/reports/200630-y3y9tpza3s/
Tags:evasion trojan persistence spyware
VirusTotal:Virustotal results 9.86%

Yara Signatures


Rule name:win_vobfus_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_xpertrat_auto
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XpertRAT

Executable exe 2b8072cf7b0c14a4f9c662d66cf5f6a64c7defb73fb6b0fcc9cd5d32ff004101

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments