MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51297f05449c2fe207a4635e0d1123c137bfdfd97157e09b00af119733952197. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51297f05449c2fe207a4635e0d1123c137bfdfd97157e09b00af119733952197
SHA3-384 hash: 228e980e61e3f99b7466de43059e447d848450895386cfeb0a9d3e09dbbb5c66fe041924122238cc8a5bc59cba3414d5
SHA1 hash: 2743c5503618c05afa9cea47b04d4965c1539d9a
MD5 hash: 173e540463300babea87380df68d79c2
humanhash: blossom-hydrogen-stairway-echo
File name:173e540463300babea87380df68d79c2.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:909'312 bytes
First seen:2021-07-01 06:31:40 UTC
Last seen:2021-07-01 07:57:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:j4LnjcHhu/5WhuSSI0vYy/Wn0XCi8f2P5ITwdD3JjB0nsR7DZ5u3v6kSVhLAp+J5:ucHhuxWQSZSs4B7q0D3r0IZ
Threatray 4'475 similar samples on MalwareBazaar
TLSH 57157CAC3254359EC567C6BACAA8AC74EA613C66531BC107909309DFAE0DB87DF105F3
Reporter abuse_ch
Tags:exe XpertRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
173e540463300babea87380df68d79c2.exe
Verdict:
Malicious activity
Analysis date:
2021-07-01 06:34:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/65a0c84f-79ea-4f00-8951-2d24707a3946

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XpertRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169066/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.897.18361.17647.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25567bd7-5f29-47f0-877d-15a51210a27a
Result
Threat name:
XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810362
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Detected unpacking (creates a PE file in dynamic memory)
Disables user account control notifications
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Dropper
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442773 Sample: Ic40U0IBYw.exe Startdate: 01/07/2021 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 7 other signatures 2->65 7 Ic40U0IBYw.exe 3 2->7         started        11 M2P7W1K1-J110-W5Y5-F7Y0-B2B7A0M6B1K7.exe 3 2->11         started        13 M2P7W1K1-J110-W5Y5-F7Y0-B2B7A0M6B1K7.exe 2 2->13         started        15 M2P7W1K1-J110-W5Y5-F7Y0-B2B7A0M6B1K7.exe 2 2->15         started        process3 file4 35 C:\Users\user\AppData\...\Ic40U0IBYw.exe.log, ASCII 7->35 dropped 67 Detected unpacking (creates a PE file in dynamic memory) 7->67 69 Injects a PE file into a foreign processes 7->69 17 Ic40U0IBYw.exe 1 1 7->17         started        71 Multi AV Scanner detection for dropped file 11->71 20 M2P7W1K1-J110-W5Y5-F7Y0-B2B7A0M6B1K7.exe 1 11->20         started        22 M2P7W1K1-J110-W5Y5-F7Y0-B2B7A0M6B1K7.exe 11->22         started        24 M2P7W1K1-J110-W5Y5-F7Y0-B2B7A0M6B1K7.exe 1 13->24         started        26 M2P7W1K1-J110-W5Y5-F7Y0-B2B7A0M6B1K7.exe 13->26         started        28 M2P7W1K1-J110-W5Y5-F7Y0-B2B7A0M6B1K7.exe 15->28         started        signatures5 process6 signatures7 51 Changes security center settings (notifications, updates, antivirus, firewall) 17->51 53 Disables user account control notifications 17->53 55 Writes to foreign memory regions 17->55 57 2 other signatures 17->57 30 iexplore.exe 3 7 17->30         started        process8 dnsIp9 41 mertrerfeyy.duckdns.org 195.133.40.193, 8494 SPD-NETTR Russian Federation 30->41 43 gwtruwhgw.duckdns.org 30->43 45 dfgrttuutii.duckdns.org 30->45 37 M2P7W1K1-J110-W5Y5-F7Y0-B2B7A0M6B1K7.exe, PE32 30->37 dropped 39 C:\...\M2P7W1K1-J110-W5Y5-F7Y0-B2B7A0M6B1K7, data 30->39 dropped 47 Creates an undocumented autostart registry key 30->47 49 Creates autostart registry keys with suspicious names 30->49 file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51297f05449c2fe207a4635e0d1123c137bfdfd97157e09b00af119733952197/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-30 15:53:24 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
08927d7955b1be7fd05d81a73057242117540094dda7cca1c162f3aea18c2854
XpertRAT
187cd525a046dd304b15ad47a1f8923546cc97a21afae5a2344cf8cac5c5b550
XpertRAT
5183105aacaf926e7358ff33a1503e58d712a9fc97800bbe8e26132284acb414
XpertRAT
59b88d9a9cc0b316b6cb94cae1e639933685da63bbbfe6c384acfbc11d430aae
XpertRAT
5c32fd3de4bce60a2529cebc5f47b8a1562ea9bd22549f829b22b0533b32f79b
XpertRAT
a36735377d731d16330587a190a99acbd5a1d9556e066d771268f8b4b6cd3821
XpertRAT
d3f2094ff947212a812af1a551b602d9056843ae7f3bdf5f95c90e0590f9fb0a
XpertRAT
daf3291e47f8659d58a505b5ed585987018001e08827f3aff1ab0bb860bd5c80
XpertRAT
f8e52fa75724eb08c0ec68db6799740ad36c7178b8f0dd7c8b0ee755ff60c653
XpertRAT
ff9d837e464eb07ad603c0b2ac0a35029117123c31570baeb61fca9a0242b493
XpertRAT
+ 4'465 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:xpertrat evasion persistence rat trojan
Link:
https://tria.ge/reports/210701-c6lyh6xdfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Windows security modification
Adds policy Run key to start application
UAC bypass
Windows security bypass
XpertRAT
XpertRAT Core Payload
Unpacked files
SH256 hash:
8c04434ad2bfc00f64725702a067638e9840cd48c76c0f7848f6f1130e5af195
MD5 hash:
20ca42153423d29105b5db799b7be804
SHA1 hash:
39cd2dfd9730043fff1b7678e23f521a39797ed5
Detections:
win_xpertrat_a0
Create hunting rule
win_xpertrat_auto
Create hunting rule
Link:
https://www.unpac.me/results/0464bfe7-cf3c-42e0-ad8f-58449b6b6835/
Parent samples :
79aa4d81cf5455a126a2b7474067f392acc392370fa6ae0a62f7e1e0271775c2
51297f05449c2fe207a4635e0d1123c137bfdfd97157e09b00af119733952197
SH256 hash:
cf8a8dc38a8b77ca89ae8155bcdd88862283187f8f29d55fa445d63782a4f464
MD5 hash:
148d3f2bbe5e028a32cba3d1e25c52d8
SHA1 hash:
1b56050ee83b76a399a17a2a2325263473b03982
Link:
https://www.unpac.me/results/0464bfe7-cf3c-42e0-ad8f-58449b6b6835/
SH256 hash:
f1474a6ea82d788aee643d966ff3e4f45536bec4bf5b3bf2830edda63f94cfb8
MD5 hash:
0006eda460823c8b4972a8be94f809d2
SHA1 hash:
a1acb9f47a3383f27db0615d98363df0c1c5e4e4
Link:
https://www.unpac.me/results/0464bfe7-cf3c-42e0-ad8f-58449b6b6835/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/0464bfe7-cf3c-42e0-ad8f-58449b6b6835/
SH256 hash:
9810d4a53a0be4d7d7e339ec24257aba4aba8a1687b2914fec6a2fd91f784b48
MD5 hash:
d23cd1687aae0736ee1efc8e6aa307aa
SHA1 hash:
365a53882c82d3ec4e04fde843c88a3f20916ded
Detections:
win_xpertrat_a0
Create hunting rule
win_xpertrat_auto
Create hunting rule
Link:
https://www.unpac.me/results/0464bfe7-cf3c-42e0-ad8f-58449b6b6835/
SH256 hash:
51297f05449c2fe207a4635e0d1123c137bfdfd97157e09b00af119733952197
MD5 hash:
173e540463300babea87380df68d79c2
SHA1 hash:
2743c5503618c05afa9cea47b04d4965c1539d9a
Link:
https://www.unpac.me/results/0464bfe7-cf3c-42e0-ad8f-58449b6b6835/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51297f05449c2fe207a4635e0d1123c137bfdfd97157e09b00af119733952197

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XpertRAT

Executable exe 51297f05449c2fe207a4635e0d1123c137bfdfd97157e09b00af119733952197

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1150070/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/169066/

Comments