MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d923075e568d6597f99a660df23e05e978cd34ab50ee30dc5b8687865b26d55e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d923075e568d6597f99a660df23e05e978cd34ab50ee30dc5b8687865b26d55e
SHA3-384 hash: 18c1268cba18fcad71b8bfcfbd33f2ce392a1d47a5fc0ea141914bfe0c24e21f0387396eaceee60c05fe45600be65fc4
SHA1 hash: dc51ac42a38476515b7383b7b0a465b6482fae8d
MD5 hash: dd1212990255208a66189a55aab83f67
humanhash: mike-cola-leopard-colorado
File name:F4414_pdf.gz
Download: download sample
Signature XpertRAT
Create hunting rule
File size:596'715 bytes
First seen:2020-10-27 09:57:36 UTC
Last seen:Never
File type: gz
MIME type:application/gzip
ssdeep 12288:Xzkh55Ao25Sc+Jzpi8PkbiPCY/aNeiFQ9wUfjKW8i+6DGNIn:XwFJk8Pk+PCY/aNU9JO51Fk
TLSH 18C423D1CDE32AA96C2606D0E343B7C346C6BEDD26A856E9899BF0E3158755353034EC
Reporter abuse_ch
Tags:gz nVpn RAT XpertRAT


Avatar
abuse_ch
Malspam distributing XpertRAT:

HELO: 32490AF.online-server.cloud
Sending IP: 82.223.103.239
From: Acerlogistica.com <administracion@acerlogistica.com>
Subject: EnvĂ­o F4414
Attachment: F4414_pdf.gz (contains "gunzipped")

XpertRAT C2:
185.244.30.211:4576

Hosted on nVpn:

% Information related to '185.244.30.0 - 185.244.30.255'

% Abuse contact for '185.244.30.0 - 185.244.30.255' is 'abuse@privacyfirst.sh'

inetnum: 185.244.30.0 - 185.244.30.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-HU
country: HU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-29T14:10:27Z
last-modified: 2020-10-07T21:39:48Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Hzzv-7433640-0
Create hunting rule

Sanesecurity.Malware.27383.GZipHeur.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d923075e568d6597f99a660df23e05e978cd34ab50ee30dc5b8687865b26d55e/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 07:45:03 UTC
AV detection:
10 of 48 (20.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3erqoxswrvszp6m2myg7epqf5f4m2nflkdxdbxc3q2dymwzg2vpa._file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XpertRAT

gz d923075e568d6597f99a660df23e05e978cd34ab50ee30dc5b8687865b26d55e

(this sample)

XpertRAT

Executable exe 88b664781d7b10fc5130cf6453fbde5b26b129f0e2f5e002d62be833b0fcd020

  
Dropping
MD5 2f7687172e06c6868282ba3e1428aaeb
  
Dropping
XpertRAT
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 88b664781d7b10fc5130cf6453fbde5b26b129f0e2f5e002d62be833b0fcd020

Comments