MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f79b985c1bf0b6708864ec45d12917c2e130dc53408b648b893179874f8e4b97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XpertRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f79b985c1bf0b6708864ec45d12917c2e130dc53408b648b893179874f8e4b97
SHA3-384 hash: f269c3da6166313d0e79d01e5a4b67b7d6092592bfd3fbbe9c157667fb602fd0cd7a007b4cf3f0dc752fa0b2f8485d80
SHA1 hash: 4b743df38e5f214bf85b85c95851bf75d08683a1
MD5 hash: 0816345b69321795af4a24159d3545b7
humanhash: maryland-item-lion-hawaii
File name:EMECA20_GeneralBrochureEN_web_pdf.exe
Download: download sample
Signature XpertRAT
Create hunting rule
File size:1'005'056 bytes
First seen:2020-08-04 09:31:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:30uyHcPgYxmOE+2Do4pPeRH89fpxUMdjOV30Qh6HI2qDVYkd0u:bzIYxPeVZlhUMdX2BVk
Threatray 178 similar samples on MalwareBazaar
TLSH 02259DC1F140DDA4E829093A883298614B33AE2FFE51861B349CB51977F738765B6F4B
Reporter abuse_ch
Tags:DEU exe geo nVpn RAT XpertRAT


Avatar
abuse_ch
Malspam distributing XpertRAT:

HELO: server.nemutlu.com.tr
Sending IP: 94.102.12.60
From: Barbara Weizsäcker <barbara.w@exposol.de>
Subject: Grüße von EMECA vom 2. bis 5. Dezember 2020
Attachment: EMECA20_GeneralBrochureEN_web_pdf.gz (contains "EMECA20_GeneralBrochureEN_web_pdf.exe")

XpertRAT C2:
185.165.153.49:3456

Hosted on nVpn:

% Information related to '185.165.153.0 - 185.165.153.255'

% Abuse contact for '185.165.153.0 - 185.165.153.255' is 'abuse@privacyfirst.sh'

inetnum: 185.165.153.0 - 185.165.153.255
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
netname: PRIVACYFIRST-EU2
country: EU
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
org: ORG-TPP6-RIPE
status: ASSIGNED PA
mnt-by: PRIVACYFIRST-MNT
created: 2019-10-18T12:14:26Z
last-modified: 2020-07-28T20:37:37Z
source: RIPE

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38418/
Detection(s):
Win.Trojan.Hzzv-7433640-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Deleting a recently created file
Replacing files
Reading critical registry keys
Unauthorized injection to a recently created process
Blocking the User Account Control
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun
Deleting of the original file
Result
Threat name:
MailPassView XpertRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408990
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Deletes itself after installation
Detected unpacking (creates a PE file in dynamic memory)
Disables UAC (registry)
Disables user account control notifications
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Generic Dropper
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Yara detected XpertRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256731 Sample: EMECA20_GeneralBrochureEN_w... Startdate: 04/08/2020 Architecture: WINDOWS Score: 100 58 Malicious sample detected (through community Yara rule) 2->58 60 Yara detected MailPassView 2->60 62 Yara detected XpertRAT 2->62 64 7 other signatures 2->64 9 EMECA20_GeneralBrochureEN_web_pdf.exe 1 2->9         started        13 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 1 2->13         started        15 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 2->15         started        17 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 2->17         started        process3 file4 54 EMECA20_GeneralBro...eEN_web_pdf.exe.log, ASCII 9->54 dropped 80 Detected unpacking (creates a PE file in dynamic memory) 9->80 82 Injects a PE file into a foreign processes 9->82 19 EMECA20_GeneralBrochureEN_web_pdf.exe 1 1 9->19         started        22 EMECA20_GeneralBrochureEN_web_pdf.exe 9->22         started        84 Machine Learning detection for dropped file 13->84 24 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 1 13->24         started        26 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 13->26         started        28 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 13->28         started        30 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 1 15->30         started        32 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe 17->32         started        signatures5 process6 signatures7 66 Changes security center settings (notifications, updates, antivirus, firewall) 19->66 68 Disables user account control notifications 19->68 70 Disables UAC (registry) 19->70 34 iexplore.exe 3 9 19->34         started        process8 dnsIp9 56 185.165.153.49, 3456, 49718, 49719 DAVID_CRAIGGG Netherlands 34->56 50 L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7.exe, PE32 34->50 dropped 52 C:\...\L5Y8V7P1-C2B7-Q0N6-B1K7-L222R0D0G5H7, data 34->52 dropped 72 Creates an undocumented autostart registry key 34->72 74 Creates autostart registry keys with suspicious names 34->74 76 Writes to foreign memory regions 34->76 39 notepad.exe 34->39         started        42 iexplore.exe 34->42         started        44 iexplore.exe 1 34->44         started        46 4 other processes 34->46 file10 signatures11 process12 signatures13 78 Deletes itself after installation 39->78 48 WerFault.exe 42->48         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f79b985c1bf0b6708864ec45d12917c2e130dc53408b648b893179874f8e4b97/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 09:33:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=66nzqxa36c3hbcde5rc5ckixylqtbxcticfwjc4jgf4yot4ojolq._file
Verdict:
malicious
Similar samples:
167d491785e99c6aec1e23ef064eceb9e7ac81af33262d7e3d3e51cc8759ce70
XpertRAT
1f3155a17517ae07b481c78d6611f7053275b9d488d7475aec599683a80d8a85
XpertRAT
4d0dfe01c27dfd2c35464a3f435cfb4cad6e996d6fc407cc8f10fc0b3d0692fe
XpertRAT
54c9ce578a123b2abbcb00af7638f3d1c93041959ebccf3981a099a869c5a171
XpertRAT
5b9a8fa88eb68e5b46666e38e99863c886e4e1c4d2cf6a04e0dd8416375c859c
XpertRAT
950c5135a82ae668688c83c699fc372e74f2745aae8effd9f87fcae2b4a447be
XpertRAT
bd2bf7c79dda8208f9ec0c2199d1ec61058aa43bbe6f8548623444fc143a3aec
XpertRAT
dcafd8ba263cf7e448be257a8d25c968a0060908f93f9d02a068bb0dd482879f
XpertRAT
dedad3d7a97da9f0103dd87d86a422e38f581879c41ab07594d141eb303d2de9
XpertRAT
eaab0de271ab0a0a59a3db2c79ec4e0b9c6f645d4c49bb0deadb3c3469fb19a8
XpertRAT
+ 168 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200804-efcsgnraxs/
Behaviour
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Deletes itself
Windows security modification
Reads user/profile data of web browsers
UPX packed file
Adds policy Run key to start application
UAC bypass
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f79b985c1bf0b6708864ec45d12917c2e130dc53408b648b893179874f8e4b97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_xpertrat_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

XpertRAT

gz 5648ae8e4d5fe8302713953412d15757bdc57c61e4554808158073999270a99a

XpertRAT

Executable exe f79b985c1bf0b6708864ec45d12917c2e130dc53408b648b893179874f8e4b97

(this sample)

  
Dropped by
MD5 ed1ab5710b1770ba84997a5b83fe9714
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38418/
  
Dropped by
SHA256 5648ae8e4d5fe8302713953412d15757bdc57c61e4554808158073999270a99a

Comments