MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203
SHA3-384 hash: e45331b8b59212bfeca65e42bfcf713ff7c7bb7239438aa7e1631bc4e2264dce759a19c8ae5c76a654ecc6ed8db2f302
SHA1 hash: 34cd8c2507265bfe6e555fcbcf6e8d9813b125db
MD5 hash: 9b050abfd10976b7ce7c3a5fcd77740a
humanhash: autumn-apart-hawaii-xray
File name:PRD736382-310722-MOQ.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:878'080 bytes
First seen:2022-07-31 11:04:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:PXmSYlxsBkLd/HO2eOxK+upJoyp+BYo6kyShr3eIPaQPaLV+o69nXZp9KO6nQTIU:PXmcJg6kyShr3RPavQZSO6nQTIyx7
TLSH T13D15D00835D7BB57EA7EF33846E951518BF8F113D209E72A6C6402FACE52F60895603B
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter 0xToxin
Tags:avemaria exe SnakeKeylogger SRRBomber XpertRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
109.206.241.246:2442 https://threatfox.abuse.ch/ioc/840573/

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295335/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.28299.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a file
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e6621b5c07b66577e03bdb/reports/a84fb7a5-aced-45e3-8b0c-b5efca71c4f6/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83720890-d918-43da-8e9b-c7757406943b
Result
Threat name:
AveMaria, MailPassView, Snake Keylogger,
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1043742
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Disables UAC (registry)
Disables user account control notifications
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Generic Downloader
Yara detected Generic Dropper
Yara detected MailPassView
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected WebBrowserPassView password recovery tool
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 676236 Sample: PRD736382-310722-MOQ.exe Startdate: 31/07/2022 Architecture: WINDOWS Score: 100 73 Snort IDS alert for network traffic 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for dropped file 2->77 79 18 other signatures 2->79 9 PRD736382-310722-MOQ.exe 3 2->9         started        13 Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4.exe 2->13         started        15 Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4.exe 1 2->15         started        17 4 other processes 2->17 process3 file4 61 C:\Users\...\PRD736382-310722-MOQ.exe.log, ASCII 9->61 dropped 111 Injects a PE file into a foreign processes 9->111 19 PRD736382-310722-MOQ.exe 4 9->19         started        113 Antivirus detection for dropped file 13->113 115 Multi AV Scanner detection for dropped file 13->115 117 Machine Learning detection for dropped file 13->117 signatures5 process6 dnsIp7 67 192.168.2.1 unknown unknown 19->67 55 C:\Users\user\AppData\...\WALL PAPER.EXE, PE32 19->55 dropped 57 C:\Users\user\AppData\Local\TempbehaviorgraphUM.EXE, PE32 19->57 dropped 59 C:\Users\user\AppData\Local\TempGGMM.EXE, PE32 19->59 dropped 23 GUM.EXE 1 1 19->23         started        26 EGGMM.EXE 15 2 19->26         started        29 WALL PAPER.EXE 4 4 19->29         started        file8 process9 dnsIp10 91 Antivirus detection for dropped file 23->91 93 Multi AV Scanner detection for dropped file 23->93 95 Changes security center settings (notifications, updates, antivirus, firewall) 23->95 109 3 other signatures 23->109 32 iexplore.exe 3 8 23->32         started        69 checkip.dyndns.com 158.101.44.242, 49741, 80 ORACLE-BMC-31898US United States 26->69 71 checkip.dyndns.org 26->71 97 Tries to steal Mail credentials (via file / registry access) 26->97 99 Machine Learning detection for dropped file 26->99 101 Tries to harvest and steal ftp login credentials 26->101 103 Tries to harvest and steal browser information (history, passwords, etc) 26->103 63 C:\ProgramData\images.exe, PE32 29->63 dropped 105 Increases the number of concurrent connection per server for Internet Explorer 29->105 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->107 37 images.exe 1 29->37         started        39 cmd.exe 1 29->39         started        file11 signatures12 process13 dnsIp14 65 toomuchego.ydns.eu 109.206.241.246, 2442, 49742, 49743 AWMLTNL Germany 32->65 53 Y1F5W2I0-W6V4-G5S1-T8J1-U5Y8L0K337W4.exe, PE32 32->53 dropped 81 Creates an undocumented autostart registry key 32->81 83 Creates autostart registry keys with suspicious names 32->83 85 Sample uses process hollowing technique 32->85 41 iexplore.exe 32->41         started        43 BackgroundTransferHost.exe 32->43         started        45 iexplore.exe 32->45         started        47 iexplore.exe 32->47         started        87 Antivirus detection for dropped file 37->87 89 Machine Learning detection for dropped file 37->89 49 conhost.exe 39->49         started        51 reg.exe 1 1 39->51         started        file15 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-31 07:41:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6347pmg5unhhmlnryhktmkwuiy4ci26b75mde6ero6dj2drzgibq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
xpertrat
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger family:warzonerat family:xpertrat collection evasion infostealer keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/220731-m6t1saebfr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Reads user/profile data of web browsers
Windows security modification
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Adds policy Run key to start application
Executes dropped EXE
Snake Keylogger
Snake Keylogger payload
UAC bypass
WarzoneRat, AveMaria
Windows security bypass
XpertRAT
Malware Config
C2 Extraction:
toomuchego.ydns.eu:5200
Unpacked files
SH256 hash:
c32e5e42d788868447c4b65e2e99d57161ed62ac0ee34a1134371756b3a29bda
MD5 hash:
70a5e21750e11f4baaadf23972375241
SHA1 hash:
36b39170f384ac7f9a6c3b4f0192a42e7cd035ea
Detections:
win_xpertrat_a0
Create hunting rule
win_xpertrat_auto
Create hunting rule
Link:
https://www.unpac.me/results/119dd30b-53bf-4588-af2d-524726da62d0/
Parent samples :
f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203
fec53b388671f2f82fd8c743a3695f432037caffe5f2e04ea77c206809efd048
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
e6da15aedc54f4b4faa8df84038a7172eb010fcaa4caeb3008e7fd371597f973
SH256 hash:
5e97ccd8dafcb36b3cb772f6a2fd425abcf221ab9ea1930e8c2618c95332f2c6
MD5 hash:
01800f6b045def8d90c649842f56d752
SHA1 hash:
f8434a4636d0772d01aac44bb3f9753a41f01d34
Link:
https://www.unpac.me/results/119dd30b-53bf-4588-af2d-524726da62d0/
SH256 hash:
477cab8d4385172d679200edc6619462de2402d912f21f36981fc058987a6d52
MD5 hash:
16a9ddc4b32981114fe4f069a4353105
SHA1 hash:
bf73849f57c150f9e2199c61427f631be2dfa595
Link:
https://www.unpac.me/results/119dd30b-53bf-4588-af2d-524726da62d0/
SH256 hash:
2197a69de41b7427d9cb1a895ef190cddaeee40eef8992957cb534094489ab45
MD5 hash:
8982646e4d71b29a3b71124c7088a46b
SHA1 hash:
b96c75cba285130a24d4235e21796ace83e81fd9
Link:
https://www.unpac.me/results/119dd30b-53bf-4588-af2d-524726da62d0/
SH256 hash:
c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac
MD5 hash:
d934bc77b8157ece0a3bbec1527cee9b
SHA1 hash:
841017a8d48040f1e0d593608c2506007ea9f997
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/119dd30b-53bf-4588-af2d-524726da62d0/
Parent samples :
f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203
fec53b388671f2f82fd8c743a3695f432037caffe5f2e04ea77c206809efd048
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
c6e161181e3f246471f546f84655f3de28e86860db5c449293a56efc17024aac
120423f71527bac958f92cfaf06203a082324bfdb0279896404058e2ff2fe763
e6da15aedc54f4b4faa8df84038a7172eb010fcaa4caeb3008e7fd371597f973
SH256 hash:
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
MD5 hash:
f801b47ec91f5f75b0f5804506665b14
SHA1 hash:
6ca1c47f85abaed4a3cc414b6200360ca658b2c5
Detections:
win_ave_maria_g0
Create hunting rule
Link:
https://www.unpac.me/results/119dd30b-53bf-4588-af2d-524726da62d0/
Parent samples :
f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203
fec53b388671f2f82fd8c743a3695f432037caffe5f2e04ea77c206809efd048
62ae48d339e52a1b5be82e703025f2be10d6025f97fd784d40f2781d6ee886ec
SH256 hash:
f91cf396d6cc0e3803aa25fd0770e9a252196ae616e032e4880668c8ded74dc0
MD5 hash:
81912e3dd162ce7c96114a84d0d58b29
SHA1 hash:
2def8b1c48c9e550f57c9dab915c5232a7113d57
Link:
https://www.unpac.me/results/119dd30b-53bf-4588-af2d-524726da62d0/
SH256 hash:
f71d97c3d42af0eb4cc74e640a995eb0f288bab59b7be5cd89eccb21cd304f36
MD5 hash:
6c72218c48cd68cbcb654675053a0abb
SHA1 hash:
12207fa32070f99683648d87b44410e5d3cdf2de
Link:
https://www.unpac.me/results/119dd30b-53bf-4588-af2d-524726da62d0/
SH256 hash:
a2bb808321745ce0239b5a84c78a801644d903ce8a6ab87193337aaf2d01fc31
MD5 hash:
350dfc66657d2d9b2231bf8bfe33497b
SHA1 hash:
0fb28b28c416d21f1db2d54355e89fa8ec3e3324
Link:
https://www.unpac.me/results/119dd30b-53bf-4588-af2d-524726da62d0/
SH256 hash:
f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203
MD5 hash:
9b050abfd10976b7ce7c3a5fcd77740a
SHA1 hash:
34cd8c2507265bfe6e555fcbcf6e8d9813b125db
Link:
https://www.unpac.me/results/119dd30b-53bf-4588-af2d-524726da62d0/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f6f9f7b0dda3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XpertRAT

Executable exe f6f9f7b0dda34e762db1c1d5362ad44638246bc1ff5832789177869d0e393203

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/295335/

Comments