MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac0f87add6a605e555dc559282160c2ef708ca2fecc0799442c361c2f37f6828. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac0f87add6a605e555dc559282160c2ef708ca2fecc0799442c361c2f37f6828
SHA3-384 hash: 09bf8b9799da1d9aca6e3a0574ab716b4ee4f94aff2e0b39ff679943b62abc8d69012e3da01a0eb744776dd112b3cd33
SHA1 hash: 5873995badb3843e97bf6cfe87bcd283c30fb393
MD5 hash: b139dd38b0aaa785c555310ac2b1c3fd
humanhash: bluebird-wisconsin-tennessee-video
File name:INVNOVPAY30002021001199554Pay5443545632211000.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:1'830'400 bytes
First seen:2021-12-01 08:03:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:8nxmD1rVjinxmD1rVjinxmD1rVjsVpa8+:8AhjiAhjiAhjQa
Threatray 807 similar samples on MalwareBazaar
TLSH T11285120D73FA5F10E6B44BF5A970A6544B76743E7871E7AC1E84E4CB4230F20A65AB23
Reporter abuse_ch
Tags:exe XpertRAT


Avatar
abuse_ch
XpertRAT C2:
203.159.80.66:4822

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
203.159.80.66:4822 https://threatfox.abuse.ch/ioc/256760/

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVNOVPAY30002021001199554Pay5443545632211000.exe
Verdict:
Malicious activity
Analysis date:
2021-12-01 08:06:38 UTC
Tags:
loader
Link:
https://app.any.run/tasks/807a16b2-c478-47ca-a2b7-a682bfe6c261

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210200/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Launching a process
Changing a file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Unauthorized injection to a recently created process
Blocking the User Account Control
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61a72c3d9954e0c6bf798a82/reports/7595f185-69ec-435e-90ef-f79971ff3fd4/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a847d3ba-62ea-45f4-b538-bd5b5cec88d7
Result
Threat name:
XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/899225
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Disables user account control notifications
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 531703 Sample: INVNOVPAY30002021001199554P... Startdate: 01/12/2021 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for domain / URL 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 5 other signatures 2->61 8 INVNOVPAY30002021001199554Pay5443545632211000.exe 15 3 2->8         started        13 N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe 14 3 2->13         started        15 N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe 2 2->15         started        17 N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe 2 2->17         started        process3 dnsIp4 53 ego2021.ydns.eu 203.159.80.66, 4822, 49772, 49775 LOVESERVERSGB Netherlands 8->53 49 INVNOVPAY300020210...45632211000.exe.log, ASCII 8->49 dropped 71 Injects a PE file into a foreign processes 8->71 19 INVNOVPAY30002021001199554Pay5443545632211000.exe 1 1 8->19         started        73 Multi AV Scanner detection for dropped file 13->73 75 Machine Learning detection for dropped file 13->75 22 N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe 1 13->22         started        24 N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe 15->24         started        26 N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe 15->26         started        28 N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe 17->28         started        30 N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe 17->30         started        file5 signatures6 process7 signatures8 67 Changes security center settings (notifications, updates, antivirus, firewall) 19->67 69 Disables user account control notifications 19->69 32 iexplore.exe 3 8 19->32         started        37 iexplore.exe 19->37         started        39 iexplore.exe 19->39         started        process9 dnsIp10 51 ego2021.ydns.eu 32->51 45 N3S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5.exe, PE32 32->45 dropped 47 C:\...473S8L5W2-L0D7-N6R5-I1X3-I7P6I3R8E6E5, data 32->47 dropped 63 Creates an undocumented autostart registry key 32->63 65 Creates autostart registry keys with suspicious names 32->65 41 WerFault.exe 37->41         started        43 WerFault.exe 39->43         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac0f87add6a605e555dc559282160c2ef708ca2fecc0799442c361c2f37f6828/
Threat name:
ByteCode-MSIL.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2021-12-01 05:31:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
17 of 27 (62.96%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqhyplowuyc6kvo4kwjiefqmf33qrsrp5tahtfccynq4f437naua._file
Verdict:
malicious
Similar samples:
08927d7955b1be7fd05d81a73057242117540094dda7cca1c162f3aea18c2854
XpertRAT
59b88d9a9cc0b316b6cb94cae1e639933685da63bbbfe6c384acfbc11d430aae
XpertRAT
5c32fd3de4bce60a2529cebc5f47b8a1562ea9bd22549f829b22b0533b32f79b
XpertRAT
a36735377d731d16330587a190a99acbd5a1d9556e066d771268f8b4b6cd3821
XpertRAT
bc2a5e452669de43c4f4533c995b515bace2941ea5b45bb537085b204ee5d54b
XpertRAT
c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
XpertRAT
ddde7cd1d82b5dee479ac17413690cedd04ad04ee14ae271d590da80e5a2a8bd
XpertRAT
e4b8184869d65a34fb9e0fb43d8b6c252cb153f7139485e3fde6d02cd6898242
XpertRAT
f8e52fa75724eb08c0ec68db6799740ad36c7178b8f0dd7c8b0ee755ff60c653
XpertRAT
+ 797 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:xpertrat collection evasion persistence rat suricata trojan
Link:
https://tria.ge/reports/211201-jxrbraaggn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Checks whether UAC is enabled
Program crash
Windows security modification
Adds policy Run key to start application
Downloads MZ/PE file
UAC bypass
Windows security bypass
XpertRAT
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
ac883a4ca52cf6a67caae723b71be687178d4dbc97e77604b5b7c1b0a2c90097
MD5 hash:
7d746a0712570f7b0bfc4697524e5860
SHA1 hash:
a36d4dc1381ecaa4402b6894fed031ab14fe8161
Link:
https://www.unpac.me/results/69d11802-84c3-43a1-9e5b-e9dfb679abce/
SH256 hash:
ac0f87add6a605e555dc559282160c2ef708ca2fecc0799442c361c2f37f6828
MD5 hash:
b139dd38b0aaa785c555310ac2b1c3fd
SHA1 hash:
5873995badb3843e97bf6cfe87bcd283c30fb393
Link:
https://www.unpac.me/results/69d11802-84c3-43a1-9e5b-e9dfb679abce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ac0f87add6a605e555dc559282160c2ef708ca2fecc0799442c361c2f37f6828

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:MALWARE_Win_XpertRAT
Create hunting rule
Author:ditekSHen
Description:XpertRAT payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_xpertrat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xpertrat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/210200/

Comments