MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c052755bf3cab34b18f346c176d9c20c296dd4010b818a424d763625eeb6ff92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c052755bf3cab34b18f346c176d9c20c296dd4010b818a424d763625eeb6ff92
SHA3-384 hash: 76aa2094bf5368e14b35148a67e0e2b9e47ced233431b36ff8b5513240ab1cedf1838a00dd8528e0620cf63531115179
SHA1 hash: 32669f8f8867e02b2be54d3fd73850e77b39ff5f
MD5 hash: d33732b691720be2cef97957e40bb69e
humanhash: louisiana-august-stairway-butter
File name:d33732b691720be2cef97957e40bb69e.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:750'592 bytes
First seen:2021-07-13 13:21:27 UTC
Last seen:2021-07-13 14:02:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:/QDrQ47uELrXJy2Mda/Rb/kOhCQBMNqjASyZ1iPFprFB7Zipspk7uDa6BlhNAL4:/QDE1yr5y2Mda/BkOhCQBMNq0X1g77ME
Threatray 5'019 similar samples on MalwareBazaar
TLSH T161F42310F2674DACF1BACE71330E0A90545E94D7560B7B67359C46A68F03FDB2A832B9
Reporter abuse_ch
Tags:exe XpertRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d33732b691720be2cef97957e40bb69e.exe
Verdict:
Malicious activity
Analysis date:
2021-07-13 13:28:06 UTC
Tags:
trojan rat xpertrat stealer
Link:
https://app.any.run/tasks/225aa9fe-8aed-481c-b2dc-158453f2652c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XpertRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/171429/
Detection(s):
SecuriteInfo.com.ArtemisD33732B69172.8310.19663.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f9714a7-7f99-4454-9e2d-de69afed2013
Result
Threat name:
XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/815642
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Detected unpacking (creates a PE file in dynamic memory)
Disables user account control notifications
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Dropper
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 448053 Sample: 3r4QhnkO9r.exe Startdate: 13/07/2021 Architecture: WINDOWS Score: 100 42 oklahama.ydns.eu 2->42 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 5 other signatures 2->62 8 3r4QhnkO9r.exe 5 2->8         started        12 X550V6H4-V1N8-X8C6-D6T5-A7W0Q2D4J7R2.exe 4 2->12         started        14 X550V6H4-V1N8-X8C6-D6T5-A7W0Q2D4J7R2.exe 2 2->14         started        16 X550V6H4-V1N8-X8C6-D6T5-A7W0Q2D4J7R2.exe 2 2->16         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\3r4QhnkO9r.exe, PE32 8->32 dropped 34 C:\Users\...\3r4QhnkO9r.exe:Zone.Identifier, ASCII 8->34 dropped 36 C:\Users\user\AppData\...\3r4QhnkO9r.exe.log, ASCII 8->36 dropped 64 Writes to foreign memory regions 8->64 66 Injects a PE file into a foreign processes 8->66 18 3r4QhnkO9r.exe 1 1 8->18         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 21 X550V6H4-V1N8-X8C6-D6T5-A7W0Q2D4J7R2.exe 12->21         started        38 X550V6H4-V1N8-X8C6-D6T5-A7W0Q2D4J7R2.exe, PE32 14->38 dropped 23 X550V6H4-V1N8-X8C6-D6T5-A7W0Q2D4J7R2.exe 14->23         started        25 X550V6H4-V1N8-X8C6-D6T5-A7W0Q2D4J7R2.exe 16->25         started        signatures6 process7 signatures8 46 Multi AV Scanner detection for dropped file 18->46 48 Detected unpacking (creates a PE file in dynamic memory) 18->48 50 Changes security center settings (notifications, updates, antivirus, firewall) 18->50 54 4 other signatures 18->54 27 iexplore.exe 3 7 18->27         started        52 Machine Learning detection for dropped file 21->52 process9 dnsIp10 44 oklahama.ydns.eu 195.133.40.229, 1307, 49701, 49702 SPD-NETTR Russian Federation 27->44 40 X550V6H4-V1N8-X8C6-D6T5-A7W0Q2D4J7R2.exe, PE32 27->40 dropped 72 Creates an undocumented autostart registry key 27->72 74 Creates autostart registry keys with suspicious names 27->74 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c052755bf3cab34b18f346c176d9c20c296dd4010b818a424d763625eeb6ff92/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 12:00:49 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1ca3cfc63c029b0d6a0d312cac86c5dc77e9efe86dd711a08e1f25d0ec62c366
XpertRAT
29a4c9380a91012be5a2b3659f9a4c46d0eca15c689a95707f78ccde9cd11f02
XpertRAT
49b1f7e34f74b3ea4b97852292dfd6e856a58f74a181f5a3aadd6356503ae617
XpertRAT
53174a644680154786d09b66cc8c4a1aa83c625bd10137600bf191573fa5c602
XpertRAT
5c32fd3de4bce60a2529cebc5f47b8a1562ea9bd22549f829b22b0533b32f79b
XpertRAT
68f58a48d09d07cd851a8d03cef1a6000f715257fbfbad215e22013ac7a7e611
XpertRAT
6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd
XpertRAT
a6c456dcee9a9c53aeb0360bdb52a682137745ad9ec607fce1199e24cd348ee5
XpertRAT
d171f74f5d0cb8a469db9262869b3798ae0ed18098b4017207ff7f6e69fcd07a
XpertRAT
f8e52fa75724eb08c0ec68db6799740ad36c7178b8f0dd7c8b0ee755ff60c653
XpertRAT
+ 5'009 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:xpertrat evasion persistence rat trojan upx
Link:
https://tria.ge/reports/210713-qg3jwrd32n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Program crash
Windows security modification
Adds policy Run key to start application
UPX packed file
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
UAC bypass
Windows security bypass
XpertRAT
XpertRAT Core Payload
Unpacked files
SH256 hash:
d057933476e60e577c44e49d8f97f6260b4b9cc02fbc0e5fe530d7a6112fc7c5
MD5 hash:
fb03f9178de1936307f5ce17eb2cc11d
SHA1 hash:
df96659db4216dfb5eeed30009b4c2da3b2a8a04
Link:
https://www.unpac.me/results/eb531ecf-cda6-4a56-ab28-a16100c948a7/
SH256 hash:
9a76428c25936d0bf5cf29274043aefbc1581ba8e6d5bd77760e1cc4e8ea04f6
MD5 hash:
490670d922609d63fc9fdc516f08944d
SHA1 hash:
9593f18eb75896e5db432238aa37e246c3a920ac
Detections:
win_xpertrat_a0
Create hunting rule
win_xpertrat_auto
Create hunting rule
Link:
https://www.unpac.me/results/eb531ecf-cda6-4a56-ab28-a16100c948a7/
SH256 hash:
d756272ca1c6a98b54667031993560d7572a61de469b3b08b2564221a104b8a9
MD5 hash:
be25f8f4ce873583015b0b74f7c83ae1
SHA1 hash:
c4d3b1aa8961fa2e82f07dddacca219918f8b567
Link:
https://www.unpac.me/results/eb531ecf-cda6-4a56-ab28-a16100c948a7/
SH256 hash:
4a0d8f5e15aeb1e09bf7aebd46f6b858c379958cfbd5810fbcaee76f74ca9b4c
MD5 hash:
52db021bcc5133fdede0cad4d033ac6d
SHA1 hash:
24701a5e35cba4c2da2d0a83732b702ebba17e4e
Link:
https://www.unpac.me/results/eb531ecf-cda6-4a56-ab28-a16100c948a7/
SH256 hash:
c052755bf3cab34b18f346c176d9c20c296dd4010b818a424d763625eeb6ff92
MD5 hash:
d33732b691720be2cef97957e40bb69e
SHA1 hash:
32669f8f8867e02b2be54d3fd73850e77b39ff5f
Link:
https://www.unpac.me/results/eb531ecf-cda6-4a56-ab28-a16100c948a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c052755bf3cab34b18f346c176d9c20c296dd4010b818a424d763625eeb6ff92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XpertRAT

Executable exe c052755bf3cab34b18f346c176d9c20c296dd4010b818a424d763625eeb6ff92

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1394875/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171429/

Comments