MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47230c3bcf570bb50440eee83fb83bebe937489895a2b3fee9805ad675fb239f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XpertRAT

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	47230c3bcf570bb50440eee83fb83bebe937489895a2b3fee9805ad675fb239f
SHA3-384 hash:	db5986f9a4508e96782129556329ee1fe08a288925b032940a532a3853fe4bf44d7b1ba787f4801f7332c1aee87f94b6
SHA1 hash:	c462561babf3f27d9afb5ebd1b07629f64baa4d3
MD5 hash:	7694cacbd4702388c664661eeff13bd4
humanhash:	lake-beryllium-lactose-sweet
File name:	WaybillDoc_9910812295.exe
Download:	download sample
Signature	XpertRAT Create hunting rule
File size:	392'192 bytes
First seen:	2020-07-29 05:21:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:HGk33Z9ETjrGkp1z/o7AIBsW12kZi//+HG5O4bpa4gn0xDBezTdb0jg5aiDfM5RM:HGk3J9+uoZ/BIB5gkZk0eO4ta4g0ZBeB
Threatray	296 similar samples on MalwareBazaar
TLSH	E784122D03C80B0BDD5DA4F485911E4567F4F2B635C2EAA97CC6A3ED68E33E3074169A
Reporter	abuse_ch
Tags:	exe nVpn RAT XpertRAT

abuse_ch

Malspam distributing XpertRAT:

HELO: server.kibriswebtasarimi.com
Sending IP: 176.9.21.149
From: DHL EXPRESS <notice@dhl.com>
Subject: SHOWS Waybill
Attachment: WaybillDoc_9910812295.zip (contains "WaybillDoc_9910812295.exe")

XpertRAT C2:
194.5.99.136:3135
79.134.225.85:3135

Hosted on nVpn:

% Information related to '194.5.99.0 - 194.5.99.255'

% Abuse contact for '194.5.99.0 - 194.5.99.255' is 'abuse@privacyfirst.sh'

inetnum: 194.5.99.0 - 194.5.99.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU6
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-07-20T20:42:53Z
last-modified: 2020-07-28T21:06:37Z
source: RIPE

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/34118/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Launching a process

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a file in the %temp% directory

Using the Windows Management Instrumentation requests

Deleting a recently created file

Replacing files

Unauthorized injection to a recently created process

Blocking the User Account Control

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Sending a TCP request to an infection source

Enabling autorun

Result

Threat name:

XpertRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/401181

Signature

Allocates memory in foreign processes

Changes security center settings (notifications, updates, antivirus, firewall)

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious names

Detected unpacking (creates a PE file in dynamic memory)

Disables UAC (registry)

Disables user account control notifications

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM_3

Yara detected Generic Dropper

Yara detected XpertRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/47230c3bcf570bb50440eee83fb83bebe937489895a2b3fee9805ad675fb239f/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-29 05:23:05 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=i4rqyo6pk4f3kbca53ud7ob35putoseyswrlh7xjqbnnm5p3eopq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200729-qbj5jrxana/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Suspicious use of SetThreadContext

Checks whether UAC is enabled

Adds Run key to start application

Windows security modification

Adds policy Run key to start application

UAC bypass

Windows security bypass

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/47230c3bcf570bb50440eee83fb83bebe937489895a2b3fee9805ad675fb239f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_xpertrat_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator