MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddde7cd1d82b5dee479ac17413690cedd04ad04ee14ae271d590da80e5a2a8bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddde7cd1d82b5dee479ac17413690cedd04ad04ee14ae271d590da80e5a2a8bd
SHA3-384 hash: 333ff8d8f0cb7b0851fdf13098d75c01b9e7ffb3242c44c7694a23ed4c403141e98b8509678c3b6a644b4d888702fd3a
SHA1 hash: c13a41eb03b9e26fec3e6d6f6c1e273111729c03
MD5 hash: 6ddea92be72b5543d108ec83b588297d
humanhash: video-whiskey-eighteen-fourteen
File name:DDDE7CD1D82B5DEE479AC17413690CEDD04AD04EE14AE.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:702'464 bytes
First seen:2021-09-05 12:41:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9a95e2e380b061bc9cadf7c92259a464 (1 x XpertRAT)
ssdeep 12288:rFmx4sA2SFJysWmh2TUjc58OJek3EGAxMRtx9Wn0PG9pCPC:I6kSFJGmhIUI5zn3EGAORr9WnOG9UK
Threatray 133 similar samples on MalwareBazaar
TLSH T10EE4AF35E3A08C72D132273CCC5BA67C583AFD41297C9A4AA7ECAD1CAF2D1413527297
dhash icon c2c1e46698b874bd (1 x XpertRAT)
Reporter abuse_ch
Tags:exe XpertRAT


Avatar
abuse_ch
XpertRAT C2:
192.169.69.25:1989

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.169.69.25:1989 https://threatfox.abuse.ch/ioc/216104/

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DDDE7CD1D82B5DEE479AC17413690CEDD04AD04EE14AE.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-05 12:44:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/88b2caa1-ac90-427f-9d5a-159d0058e30c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XpertRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185442/
Detection(s):
Win.Malware.Fareit-7059306-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Connection attempt to an infection source
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Blocking the User Account Control
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Enabling autorun
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9aba6b87-b853-4d9b-a43c-24a467713a95
Result
Threat name:
XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845539
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Disables user account control notifications
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Uses dynamic DNS services
Yara detected Generic Dropper
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 477970 Sample: DDDE7CD1D82B5DEE479AC174136... Startdate: 05/09/2021 Architecture: WINDOWS Score: 100 59 csimich.duckdns.org 2->59 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus / Scanner detection for submitted sample 2->67 69 6 other signatures 2->69 10 DDDE7CD1D82B5DEE479AC17413690CEDD04AD04EE14AE.exe 2->10         started        13 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe 2->13         started        15 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe 2->15         started        17 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe 2->17         started        signatures3 process4 signatures5 85 Maps a DLL or memory area into another process 10->85 87 Contains functionality to detect sleep reduction / modifications 10->87 19 DDDE7CD1D82B5DEE479AC17413690CEDD04AD04EE14AE.exe 1 1 10->19         started        22 DDDE7CD1D82B5DEE479AC17413690CEDD04AD04EE14AE.exe 10->22         started        89 Antivirus detection for dropped file 13->89 91 Multi AV Scanner detection for dropped file 13->91 93 Machine Learning detection for dropped file 13->93 24 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe 13->24         started        26 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe 1 13->26         started        28 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe 15->28         started        30 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe 1 15->30         started        32 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe 17->32         started        34 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe 1 17->34         started        process6 signatures7 71 Changes security center settings (notifications, updates, antivirus, firewall) 19->71 73 Disables user account control notifications 19->73 75 Sample uses process hollowing technique 19->75 36 iexplore.exe 3 7 19->36         started        41 DDDE7CD1D82B5DEE479AC17413690CEDD04AD04EE14AE.exe 22->41         started        43 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe 24->43         started        45 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe 28->45         started        47 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe 32->47         started        process8 dnsIp9 61 csimich.duckdns.org 192.169.69.25, 1989, 49701, 49704 WOWUS United States 36->61 55 Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4.exe, PE32 36->55 dropped 57 C:\...\Y1E5W2H0-W6U4-K5S1-S8J1-Y5X8K0K337V4, data 36->57 dropped 77 Creates an undocumented autostart registry key 36->77 79 Creates autostart registry keys with suspicious names 36->79 49 DDDE7CD1D82B5DEE479AC17413690CEDD04AD04EE14AE.exe 41->49         started        51 DDDE7CD1D82B5DEE479AC17413690CEDD04AD04EE14AE.exe 1 41->51         started        81 Maps a DLL or memory area into another process 43->81 83 Sample uses process hollowing technique 43->83 file10 signatures11 process12 process13 53 DDDE7CD1D82B5DEE479AC17413690CEDD04AD04EE14AE.exe 49->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddde7cd1d82b5dee479ac17413690cedd04ad04ee14ae271d590da80e5a2a8bd/
Threat name:
Win32.Trojan.MintTitirez
Create hunting rule
Status:
Malicious
First seen:
2019-07-15 12:02:23 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3xphzuoyfno64r42yf2bg2im5xievuco4ffoe4ovsdnibzncvc6q._file
Verdict:
malicious
Similar samples:
34cf92c4236aec58cb4fdee3e1cd71cbad154a5d7e0e38fdf299741ab232ce03
XpertRAT
3f987bb8c8f01c7c6d78d03aef0062b01fffd332860f3f7e9e29710466062dc2
XpertRAT
6b967f15ce9196b17393e96b58b12f2855b45c9ae084fb54382b13556864107f
XpertRAT
a498ac74ffd2f4ceccc802b5a42f33e067a7eb6f0b2125c3cf3668dd5c0c7833
XpertRAT
c43430e7fdd512d017ac41b7b7cf8f7a58fb5501b97f8e3c81bd491ace7d4dd0
XpertRAT
d324d33233edf16f00bb4c9a06a14eee0ef15f8d90a3b9f62213e0ea9054312d
XpertRAT
e825c5b9c196015372cc2153f670cdfec42827fe20aff62c5d493b67fd9c92f1
XpertRAT
ea5f7ceccf5540860f32abe23534330ccb4b5b082d94b2afb5aa1e6d26a1ae56
XpertRAT
f8e52fa75724eb08c0ec68db6799740ad36c7178b8f0dd7c8b0ee755ff60c653
XpertRAT
+ 123 additional samples on MalwareBazaar
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:xpertrat botnet:test evasion persistence rat trojan
Link:
https://tria.ge/reports/210905-pxdcsacgdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Windows security modification
Adds policy Run key to start application
UAC bypass
Windows security bypass
XpertRAT
XpertRAT Core Payload
Malware Config
C2 Extraction:
csimich.duckdns.org:1989
Unpacked files
SH256 hash:
11f5c21e32a614c5105359ff9233c1671a7657d2433459ab0f589506b8291180
MD5 hash:
ceba169ea3cb5a7a9ab0c763b5d5ff51
SHA1 hash:
ddc589d190db6fb9bdb451c23d25a3f9ea051096
Link:
https://www.unpac.me/results/46706407-753a-4297-9022-0d53f77b8222/
SH256 hash:
00ed02ce54175e0193227b674640459026c05fafeb93c5bda4a17c2f1f106c73
MD5 hash:
5fe23d5d6b5596b77006b0686e558ecf
SHA1 hash:
cc2c95d10303e26b846b64c8a438818d4e1387eb
Detections:
win_xpertrat_a0
Create hunting rule
win_xpertrat_auto
Create hunting rule
Link:
https://www.unpac.me/results/46706407-753a-4297-9022-0d53f77b8222/
SH256 hash:
ddde7cd1d82b5dee479ac17413690cedd04ad04ee14ae271d590da80e5a2a8bd
MD5 hash:
6ddea92be72b5543d108ec83b588297d
SHA1 hash:
c13a41eb03b9e26fec3e6d6f6c1e273111729c03
Link:
https://www.unpac.me/results/46706407-753a-4297-9022-0d53f77b8222/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
XpertRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ddde7cd1d82b5dee479ac17413690cedd04ad04ee14ae271d590da80e5a2a8bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_XpertRAT
Create hunting rule
Author:ditekSHen
Description:XpertRAT payload
Rule name:win_xpertrat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xpertrat.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185442/

Comments