MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b642ee9e0c62dcbb71ca4e722dc7a45e090ac60bd35f34c3199ad98c568cde6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b642ee9e0c62dcbb71ca4e722dc7a45e090ac60bd35f34c3199ad98c568cde6b
SHA3-384 hash: 581c748901785a68219d9cd3591e1524c4f2866a8d8c4ce2439e28fe91b0542fc2ce6b5d9da7c8337580a75a40bd8db1
SHA1 hash: 2cb26257e261f7c0a2d82405b76963f4008fd531
MD5 hash: 720f271211bc96a23df00598e1f15656
humanhash: mississippi-nebraska-quebec-river
File name:Castor.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:176'128 bytes
First seen:2020-10-21 08:05:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a5db5a466a58a88fc36a0259818100cd (6 x XpertRAT)
ssdeep 3072:0NWDBJIfDRpQP+DrqJxBPJpx3GISpvwb9+NWu1+RGcXPlwPb2R:0IBeQPyrMBPJpZDS6b9+NWFGE
Threatray 2'486 similar samples on MalwareBazaar
TLSH A604E00ABE5B0857F01C483096D68BE55BBDB85B39976D3FEB0047102BA296815D3EF3
Reporter abuse_ch
Tags:exe RAT XpertRAT


Avatar
abuse_ch
Malspam distributing XpertRAT:

From: fatturazione@cbceurope.it
Subject: CBC (EUROPE) SRL -fatturs de pagamento 0CV1-005444
Attachment: invoice.r11 (contains "Castor.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
XpertRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73888/
Detection(s):
Win.Trojan.004be7cd-6760703-0
Create hunting rule

Win.Trojan.Generic-6760707-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Connection attempt
Blocking the User Account Control
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Result
Threat name:
XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/505391
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Deletes itself after installation
Disables user account control notifications
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected Generic Dropper
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301726 Sample: Castor.exe Startdate: 21/10/2020 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 2 other signatures 2->40 7 Castor.exe 1 1 2->7         started        10 V1B5T2E0-T6R4-O5P1-P7G0-X443Q1Y6T3M3.exe 1 2->10         started        12 V1B5T2E0-T6R4-O5P1-P7G0-X443Q1Y6T3M3.exe 1 2->12         started        14 V1B5T2E0-T6R4-O5P1-P7G0-X443Q1Y6T3M3.exe 1 2->14         started        process3 signatures4 48 Changes security center settings (notifications, updates, antivirus, firewall) 7->48 50 Disables user account control notifications 7->50 52 Writes to foreign memory regions 7->52 58 3 other signatures 7->58 16 iexplore.exe 3 7 7->16         started        21 iexplore.exe 7->21         started        54 Antivirus detection for dropped file 10->54 56 Multi AV Scanner detection for dropped file 10->56 process5 dnsIp6 30 185.165.153.219, 2819, 49730, 49732 DAVID_CRAIGGG Netherlands 16->30 32 127.0.0.1 unknown unknown 16->32 28 V1B5T2E0-T6R4-O5P1-P7G0-X443Q1Y6T3M3.exe, PE32 16->28 dropped 42 Creates an undocumented autostart registry key 16->42 44 Creates autostart registry keys with suspicious names 16->44 46 Writes to foreign memory regions 16->46 23 notepad.exe 16->23         started        26 WerFault.exe 21->26         started        file7 signatures8 process9 signatures10 60 Deletes itself after installation 23->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b642ee9e0c62dcbb71ca4e722dc7a45e090ac60bd35f34c3199ad98c568cde6b/
Threat name:
Win32.Trojan.Symmi
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 22:19:10 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wzbo5hqmmlolw4okjzzc3r5elyeqvrql2nptjqyztlmyyvum3zvq._file
Verdict:
unknown
Similar samples:
07bea1f0f5a11fdada688ba215ee670c1a77d2f05b0e1125edaee37e66a0819c
XpertRAT
2a1dd64638dac970b58a8dc939415fcc2a4532211295f1c72370df4df91447e1
XpertRAT
49b1f7e34f74b3ea4b97852292dfd6e856a58f74a181f5a3aadd6356503ae617
XpertRAT
4e0e1ee117544cc9cb6784d36db3d349624ef1c888267b1e266a03ddb17d33a1
XpertRAT
53174a644680154786d09b66cc8c4a1aa83c625bd10137600bf191573fa5c602
XpertRAT
6071f492ac8c77276c835e56c32be50594b69aab8a00f05fbdbade329fc7f46c
XpertRAT
71ba6b649b4ea43c7139f5d429d2ec449f129fdc588c103546d5970a6db33103
XpertRAT
7e45056c46daf65e7826480c454e3237df4d5f5d740828df5b5181cfde5eade0
XpertRAT
ae6a500ab45e86279c34a92c49d12f73716f0a492075180cdad48a761bf38b49
XpertRAT
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
XpertRAT
+ 2'476 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
rat family:xpertrat persistence evasion trojan
Link:
https://tria.ge/reports/201021-675ch83rj2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Program crash
Deletes itself
Windows security modification
Adds policy Run key to start application
UAC bypass
Windows security bypass
XpertRAT
XpertRAT Core Payload
Unpacked files
SH256 hash:
b642ee9e0c62dcbb71ca4e722dc7a45e090ac60bd35f34c3199ad98c568cde6b
MD5 hash:
720f271211bc96a23df00598e1f15656
SHA1 hash:
2cb26257e261f7c0a2d82405b76963f4008fd531
Link:
https://www.unpac.me/results/fa05c701-4b39-4a90-b6af-aeb951495b2b/
SH256 hash:
222bcce097287c16b767fe574b2499f78829957ad26eeaeb49b46b2e736001b4
MD5 hash:
4d9d7b1bce34e6eecd350abe68a4e52e
SHA1 hash:
edf0146cd3ef919f456dc0743cbf0f946ce1236b
Detections:
win_xpertrat_a0
Create hunting rule
win_xpertrat_auto
Create hunting rule
Link:
https://www.unpac.me/results/fa05c701-4b39-4a90-b6af-aeb951495b2b/
SH256 hash:
2b85dcd569de6ee8c12c3e02e7f421aca9fe1dbcef44ec84ecc9f24b44c78fcd
MD5 hash:
ed9f06d43792cdcb31a776ba84bcf626
SHA1 hash:
5077a5b44b437e6340797afc31d569e185578f4a
Detections:
win_xpertrat_a0
Create hunting rule
win_xpertrat_auto
Create hunting rule
Link:
https://www.unpac.me/results/fa05c701-4b39-4a90-b6af-aeb951495b2b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:win_xpertrat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XpertRAT

rar f4d2e964664267e3faaf91edad717781b7f14154b5d01316673c330bf0519f73

XpertRAT

Executable exe b642ee9e0c62dcbb71ca4e722dc7a45e090ac60bd35f34c3199ad98c568cde6b

(this sample)

  
Dropped by
MD5 fbbf2754e7f16480a1cd8514bc4eabf2
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f4d2e964664267e3faaf91edad717781b7f14154b5d01316673c330bf0519f73
Cape
Cape
https://www.capesandbox.com/analysis/73888/

Comments