MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b5541d2b21aecc162a92f39f7641986f5cecbbb840257bdb88fa028fc0455bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b5541d2b21aecc162a92f39f7641986f5cecbbb840257bdb88fa028fc0455bf
SHA3-384 hash: 3168c81f86ef906c32829e0c70020f863a76dde43fd085f040be6ec2cd2689a72f2e5d3a0c651cb7b99b5d8747fa6e51
SHA1 hash: 5f537e1c5f0697ae7bad26d63f48eb2742aa088a
MD5 hash: a9d7b2f135e01501aa61e6dc1b20f598
humanhash: east-speaker-coffee-pasta
File name:Chemicals Genaral presentation.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:282'112 bytes
First seen:2020-07-02 07:05:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 6144:kuwlU1oU9d8Y4CEER1nhdi0pVzmMtcDn2gWuPbubA:cA1nz4CbBtpVqMtk
Threatray 144 similar samples on MalwareBazaar
TLSH 7B54CF2467FC5228FEB91B78EAB242445373BAAC6936D72E098D205E1F77F448211773
Reporter abuse_ch
Tags:exe nVpn RAT XpertRAT


Avatar
abuse_ch
Malspam distributing XpertRAT:

HELO: server.kibriswebtasarimi.com
Sending IP: 176.9.21.149
From: procurement <procurement@airproducts.com>
Subject: Tender//2020/07
Attachment: Chemicals Genaral presentation.gz (contains "Chemicals Genaral presentation.exe")

XpertRAT C2:
79.134.225.85:3135

Hosted on nVpn:

% Information related to '79.134.225.64 - 79.134.225.127'

% Abuse contact for '79.134.225.64 - 79.134.225.127' is 'abuse@your-vpn.network'

inetnum: 79.134.225.64 - 79.134.225.127
netname: YOUR_VPN_NETWORK
country: DE
remarks: ****************************************************
remarks: This subnet belongs to a VPN service provider.
remarks: We protect the right to privacy, which means
remarks: we don't log the activities of our users.
remarks: ****************************************************
admin-c: EH4074-RIPE
tech-c: YVN10-RIPE
status: ASSIGNED PA
abuse-c: YVN10-RIPE
org: ORG-YVN1-RIPE
mnt-by: AF15-MNT
created: 2019-07-19T18:26:38Z
last-modified: 2019-07-19T18:51:28Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18347/
Detection(s):
SecuriteInfo.com.Fareit-FVRA9D7B2F135E0.6125.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b5541d2b21aecc162a92f39f7641986f5cecbbb840257bdb88fa028fc0455bf/
Threat name:
ByteCode-MSIL.Infostealer.Azorult
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 07:07:06 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pnkuduvsdlwmcyvjf447ozazq3245s53qqbfppnyr6qcr7aekw7q._file
Verdict:
malicious
Similar samples:
0d46f6cd2186a84326476f3d5a76b4060889d787c92cd0aa7e77eeceb1cc05b6
XpertRAT
0dddaffd814d2594a556109bb98ae820eb147567ab84dac08e3cc4cb1ce81d4c
XpertRAT
1a258f5509ae1bb4edace69afd414ba2f0cb4a708f73d6d3109aa027117cd5a1
XpertRAT
1c2bc64a7bfeaa6b61a5094ee4562008df806659b49e81f449e74be07bfcd80c
XpertRAT
24c562354db976b7e22cd1573ce340d058061eae82feb671cf8b1c5c11f5a70c
XpertRAT
6f019b52d40fa6975b85802c83264877db5c47493fd9bf9307f5fba0ef2393aa
XpertRAT
84677c149d04ffa351b3dcb6adf5b7b4e1cffc27196c4aaa2db06842a15a00ca
XpertRAT
93829e18901794a25cdf80052f95b3ac59a8610bf4dcf4320936e763bc26ab6e
XpertRAT
9464eba54dd22af19c810637f246d9f6239a74f38ace5efddfbe8e37c5c64768
XpertRAT
b7946830a71af1e359d6b3880bd283ab2c50ff1a07f7364cd7e17a4fa6512135
XpertRAT
+ 134 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200702-l1vrbexf3a/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Maps connected drives based on registry
Adds Run entry to start application
Checks BIOS information in registry
Looks for VMWare Tools registry key
Adds Run entry to policy start application
Looks for VirtualBox Guest Additions in registry
UAC bypass
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_vobfus_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_xpertrat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XpertRAT

gz 3702ece2474ad1bac1e0860417313828ddd02d05619975d85080d0ec8ee2747d

XpertRAT

Executable exe 7b5541d2b21aecc162a92f39f7641986f5cecbbb840257bdb88fa028fc0455bf

(this sample)

  
Dropped by
MD5 b2b79d8f6e199088de79e304437ed164
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3702ece2474ad1bac1e0860417313828ddd02d05619975d85080d0ec8ee2747d
Cape
Cape
https://www.capesandbox.com/analysis/18347/

Comments