MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 857e88abbcf84ed98d208749da6457a7858176656f7ed4916adf355794e67fec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 857e88abbcf84ed98d208749da6457a7858176656f7ed4916adf355794e67fec
SHA3-384 hash: 6983bad5ea0fd23f1e95e7e216e63140b8975abc9037dc32fe6ab0edde7cfb22bf8ef5764124e12a95367c7e0ffc03d8
SHA1 hash: d43d9a8cd8c8ab443a8567e8e467f58395b9c307
MD5 hash: 0fba4fe17da6f869210904e2b613a95e
humanhash: asparagus-crazy-fifteen-early
File name:0fba4fe17da6f869210904e2b613a95e.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:390'144 bytes
First seen:2022-01-22 20:06:25 UTC
Last seen:2022-01-22 21:49:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'481 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:Igfey1Xs+i68+gv1geuaddfUtu7ZgNPJTBjWuqFC/Bc2OvttYK1YGSoOhpRRRRRP:Igfpi687v6ezdBUE7g8uqFwQv3f7kRRy
TLSH T10384123903FCF35BC5BE47B9F8A1008853B1D617B351E38B5B92A56D0D633C18E169A2
Reporter abuse_ch
Tags:exe XpertRAT


Avatar
abuse_ch
XpertRAT C2:
62.197.136.115:6512

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
62.197.136.115:6512 https://threatfox.abuse.ch/ioc/313582/

Intelligence

File Origin
# of uploads :
2
# of downloads :
381
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0fba4fe17da6f869210904e2b613a95e.exe
Verdict:
Malicious activity
Analysis date:
2022-01-22 22:45:45 UTC
Tags:
trojan rat xpertrat
Link:
https://app.any.run/tasks/b7d22167-8864-4f1b-8ead-81e282e268dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XpertRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/221681/
Detection(s):
SecuriteInfo.com.Variant.Lazy.101578.31851.24717.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed racealer
Link:
https://www.filescan.io/uploads/61ec63e7d32385db631d5c46/reports/10448789-5122-4f54-9528-a8891792b877/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ea4c785-dadb-4585-a59d-b71f3fd3cffa
Result
Threat name:
MailPassView XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/925723
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Detected unpacking (creates a PE file in dynamic memory)
Disables UAC (registry)
Disables user account control notifications
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Dropper
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 558201 Sample: jhGmkMvrd6.exe Startdate: 22/01/2022 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 8 other signatures 2->55 9 jhGmkMvrd6.exe 3 2->9         started        13 I4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe 3 2->13         started        15 I4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe 2 2->15         started        17 I4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe 2 2->17         started        process3 file4 43 C:\Users\user\AppData\...\jhGmkMvrd6.exe.log, ASCII 9->43 dropped 65 Detected unpacking (creates a PE file in dynamic memory) 9->65 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->67 19 jhGmkMvrd6.exe 1 1 9->19         started        69 Multi AV Scanner detection for dropped file 13->69 22 I4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe 1 13->22         started        24 I4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe 1 15->24         started        26 I4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe 17->26         started        signatures5 process6 signatures7 57 Changes security center settings (notifications, updates, antivirus, firewall) 19->57 59 Disables user account control notifications 19->59 61 Writes to foreign memory regions 19->61 63 3 other signatures 19->63 28 iexplore.exe 3 9 19->28         started        process8 dnsIp9 47 hgtrading.ydns.eu 62.197.136.115, 49745, 49746, 49747 SPRINTLINKUS Netherlands 28->47 45 I4G3L113-M7Y0-X0M5-M3D5-U8C7U551Q8Q7.exe, PE32 28->45 dropped 71 Creates an undocumented autostart registry key 28->71 73 Creates autostart registry keys with suspicious names 28->73 33 iexplore.exe 28->33         started        35 iexplore.exe 2 28->35         started        37 iexplore.exe 1 28->37         started        39 3 other processes 28->39 file10 signatures11 process12 process13 41 WerFault.exe 33->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/857e88abbcf84ed98d208749da6457a7858176656f7ed4916adf355794e67fec/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-22 15:16:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qv7irk547bhntdjaq5e5uzcxu6cyc5tfn57njelk342vpfhgp7wa._file
Verdict:
malicious
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:xpertrat collection evasion persistence rat trojan
Link:
https://tria.ge/reports/220122-yvzbxache8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Windows security modification
Adds policy Run key to start application
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
UAC bypass
Windows security bypass
XpertRAT
Unpacked files
SH256 hash:
e46fbc1a67765c05f1640d79901900679e962dd4f6087bcb849177b5fe6846be
MD5 hash:
1f5ea7e4e763ec8d9a0580f9fd637594
SHA1 hash:
e880db52473ddc34903792cd77705307be785d55
Link:
https://www.unpac.me/results/3ba1880b-9a74-47d8-a08c-35b84a45ed18/
SH256 hash:
06520a69538d70af2ec1cb5ab02a7c45cdca0f10d31d153f19abad98fad63762
MD5 hash:
08248dfed05745a417ba00e9967d4718
SHA1 hash:
1b0a7122d71db352d11a81729aba0fcfae4df834
Detections:
win_xpertrat_a0
Create hunting rule
win_xpertrat_auto
Create hunting rule
Link:
https://www.unpac.me/results/3ba1880b-9a74-47d8-a08c-35b84a45ed18/
Parent samples :
4c57fb95b67660646d6e37a04eb78e010c6a629e1fd8590aaeb4093dea0fad1f
857e88abbcf84ed98d208749da6457a7858176656f7ed4916adf355794e67fec
71cd3e3afcd5a2df4cc2092f8724b24c6a8cc7e6f44f77cc8174dac0a565f98b
149e45d691c1504ee820a8e8473be7d2eeb6eb840cb372052b2187b7dd4d34d2
SH256 hash:
24bae02056abde6d68745b4b9ecbc3693c4d9685db5921a18f87ef029d60a2cc
MD5 hash:
2e1342e640ba1f94f986b1043fa176e1
SHA1 hash:
f265f005125335cd2d71e055dcde58fa8ff4150e
Link:
https://www.unpac.me/results/3ba1880b-9a74-47d8-a08c-35b84a45ed18/
SH256 hash:
70028e22c06e64a3c24f307aefd10678ac3db9e4b8091c690f23176443c921f5
MD5 hash:
9426153840a5e46841a0d0b3f57979be
SHA1 hash:
0d9a532e8b8e01ac73c0de9bbf640e02b11edbed
Link:
https://www.unpac.me/results/3ba1880b-9a74-47d8-a08c-35b84a45ed18/
SH256 hash:
857e88abbcf84ed98d208749da6457a7858176656f7ed4916adf355794e67fec
MD5 hash:
0fba4fe17da6f869210904e2b613a95e
SHA1 hash:
d43d9a8cd8c8ab443a8567e8e467f58395b9c307
Link:
https://www.unpac.me/results/3ba1880b-9a74-47d8-a08c-35b84a45ed18/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
XpertRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/857e88abbcf84ed98d208749da6457a7858176656f7ed4916adf355794e67fec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221681/

Comments