MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3f2094ff947212a812af1a551b602d9056843ae7f3bdf5f95c90e0590f9fb0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3f2094ff947212a812af1a551b602d9056843ae7f3bdf5f95c90e0590f9fb0a
SHA3-384 hash: b3d9ca1c2aff8efe7e490a1eb6cfa4d50e5ff9d0cd6052ea71ca4ffdd090dd61caea023c987c38318449e8969927c7f5
SHA1 hash: a5a8ff2ee22dce4ec4d2d5674c29dc2483fb418e
MD5 hash: 0530c72ac087e821a13fd9173565dfe8
humanhash: spring-seventeen-fillet-south
File name:0530c72ac087e821a13fd9173565dfe8.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:29'600 bytes
First seen:2020-11-11 16:07:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:WOOJGKBr/lYANiIsO9mvrOvTL/9jxD4QXXx4TyLSzhUfEmDgf2h+k:WzHGAj+Ojx8QxNcmUf2h+k
Threatray 440 similar samples on MalwareBazaar
TLSH D6D22D5067F07821FB7AE5324FABA09027F2F3E3A770C3AABF9C416451432960D162B5
Reporter abuse_ch
Tags:exe RAT XpertRAT


Avatar
abuse_ch
XpertRAT C2:
sandshoe.myfirewall.org:2054

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Adding an access-denied ACE
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Deleting a recently created file
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Blocking the User Account Control
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/530414
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Detected unpacking (creates a PE file in dynamic memory)
Disables user account control notifications
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 314310 Sample: plvSd6AoLp.exe Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected XpertRAT 2->73 75 2 other signatures 2->75 7 plvSd6AoLp.exe 15 2 2->7         started        11 C7H2A8R6-A3X1-J1N8-N887-L0I1C4O6U0D4.exe 14 2 2->11         started        13 C7H2A8R6-A3X1-J1N8-N887-L0I1C4O6U0D4.exe 2->13         started        15 C7H2A8R6-A3X1-J1N8-N887-L0I1C4O6U0D4.exe 2 2->15         started        process3 dnsIp4 59 hastebin.com 104.24.126.89, 443, 49711, 49739 CLOUDFLARENETUS United States 7->59 77 Detected unpacking (creates a PE file in dynamic memory) 7->77 79 Hides threads from debuggers 7->79 81 Injects a PE file into a foreign processes 7->81 83 Contains functionality to hide a thread from the debugger 7->83 17 plvSd6AoLp.exe 1 1 7->17         started        20 WerFault.exe 23 9 7->20         started        23 timeout.exe 1 7->23         started        61 172.67.143.180, 443, 49733, 49734 CLOUDFLARENETUS United States 11->61 85 Multi AV Scanner detection for dropped file 11->85 34 3 other processes 11->34 25 timeout.exe 13->25         started        36 4 other processes 13->36 27 timeout.exe 15->27         started        29 WerFault.exe 15->29         started        32 C7H2A8R6-A3X1-J1N8-N887-L0I1C4O6U0D4.exe 15->32         started        signatures5 process6 dnsIp7 65 Changes security center settings (notifications, updates, antivirus, firewall) 17->65 67 Disables user account control notifications 17->67 38 iexplore.exe 3 8 17->38         started        51 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->51 dropped 43 conhost.exe 23->43         started        45 conhost.exe 23->45         started        47 conhost.exe 25->47         started        49 conhost.exe 27->49         started        63 192.168.2.1 unknown unknown 29->63 file8 signatures9 process10 dnsIp11 57 sandshoe.myfirewall.org 66.154.113.249, 2054, 49720, 49721 ASN-QUADRANET-GLOBALUS Canada 38->57 53 C7H2A8R6-A3X1-J1N8-N887-L0I1C4O6U0D4.exe, PE32 38->53 dropped 55 C:\...\C7H2A8R6-A3X1-J1N8-N887-L0I1C4O6U0D4, data 38->55 dropped 87 Creates an undocumented autostart registry key 38->87 89 Creates autostart registry keys with suspicious names 38->89 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3f2094ff947212a812af1a551b602d9056843ae7f3bdf5f95c90e0590f9fb0a/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 14:02:33 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pzast7zi4qsvajk6gsvdnqc3ecwqq5op4556x4vzehalehz7mfa._file
Verdict:
malicious
Similar samples:
006c01ecec6a14ad6038b988764b9cebc4f75cdccd4ccedc5b962bdd3cc994bd
XpertRAT
12f341bc0f65e96848b4dd440afc7f653e883e740adcb677fc4f8b5ba5c38ef2
XpertRAT
59b88d9a9cc0b316b6cb94cae1e639933685da63bbbfe6c384acfbc11d430aae
XpertRAT
8963180e8b2e7e51c5abd716e7a562ad010f663c41a38015ad2566231a7da9af
XpertRAT
9666c06b6da42bc3cc7ae265a46cd4d137c74a1be711151efe9a44c31a894a78
XpertRAT
ada06fa53bcebf55db1efd74571846489efb56f71f3e8283e157e78c69da8ee4
XpertRAT
b8d430b1bdab27f5308b0f3817a50718dc72c01f0a126c44c15e0959efd3f588
XpertRAT
bd2bf7c79dda8208f9ec0c2199d1ec61058aa43bbe6f8548623444fc143a3aec
XpertRAT
c675725093fc52813ef776f4c04acb080bcc017691987fd2c8db555911f6ab13
XpertRAT
ff9d837e464eb07ad603c0b2ac0a35029117123c31570baeb61fca9a0242b493
XpertRAT
+ 430 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:xpertrat evasion persistence rat spyware trojan upx
Link:
https://tria.ge/reports/201111-fpjxnhgw36/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Reads user/profile data of web browsers
Windows security modification
Adds policy Run key to start application
UPX packed file
UAC bypass
Windows security bypass
XpertRAT
XpertRAT Core Payload
Unpacked files
SH256 hash:
d3f2094ff947212a812af1a551b602d9056843ae7f3bdf5f95c90e0590f9fb0a
MD5 hash:
0530c72ac087e821a13fd9173565dfe8
SHA1 hash:
a5a8ff2ee22dce4ec4d2d5674c29dc2483fb418e
Link:
https://www.unpac.me/results/42124504-fdb8-402e-a236-6061dc5a9ffe/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:win_xpertrat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XpertRAT

Executable exe d3f2094ff947212a812af1a551b602d9056843ae7f3bdf5f95c90e0590f9fb0a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/803870/
  
Delivery method
Distributed via web download

Comments