SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xpctra (Back to overview)

XPCTRA

aka: Expectra

Incorporates code of Quasar RAT.

References
2020-12-10JPCERT/CCKota Kino
@online{kino:20201210:attack:cd8c552, author = {Kota Kino}, title = {{Attack Activities by Quasar Family}}, date = {2020-12-10}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html}, language = {English}, urldate = {2020-12-10} } Attack Activities by Quasar Family
AsyncRAT Quasar RAT Venom RAT XPCTRA
2017-11-21bugarooOscar Juárez
@online{jurez:20171121:new:828279e, author = {Oscar Juárez}, title = {{New banking malware in Brazil - XPCTRA RAT ANALYSIS}}, date = {2017-11-21}, organization = {bugaroo}, url = {https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis}, language = {English}, urldate = {2020-01-08} } New banking malware in Brazil - XPCTRA RAT ANALYSIS
XPCTRA
2017-09-26ISCRenato Marinho
@online{marinho:20170926:xpctra:f648aa4, author = {Renato Marinho}, title = {{XPCTRA Malware Steals Banking and Digital Wallet User's Credentials}}, date = {2017-09-26}, organization = {ISC}, url = {https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/}, language = {English}, urldate = {2019-11-26} } XPCTRA Malware Steals Banking and Digital Wallet User's Credentials
XPCTRA
Yara Rules
[TLP:WHITE] win_xpctra_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_xpctra_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3300 3100 3300 45 0031 005700 2bc6 }
            // n = 7, score = 100
            //   3300                 | xor                 eax, dword ptr [eax]
            //   3100                 | xor                 dword ptr [eax], eax
            //   3300                 | xor                 eax, dword ptr [eax]
            //   45                   | inc                 ebp
            //   0031                 | add                 byte ptr [ecx], dh
            //   005700               | add                 byte ptr [edi], dl
            //   2bc6                 | sub                 eax, esi

        $sequence_1 = { 45 007100 3100 3300 3200 }
            // n = 5, score = 100
            //   45                   | inc                 ebp
            //   007100               | add                 byte ptr [ecx], dh
            //   3100                 | xor                 dword ptr [eax], eax
            //   3300                 | xor                 eax, dword ptr [eax]
            //   3200                 | xor                 al, byte ptr [eax]

        $sequence_2 = { 45 005700 57 0033 005100 51 }
            // n = 6, score = 100
            //   45                   | inc                 ebp
            //   005700               | add                 byte ptr [edi], dl
            //   57                   | push                edi
            //   0033                 | add                 byte ptr [ebx], dh
            //   005100               | add                 byte ptr [ecx], dl
            //   51                   | push                ecx

        $sequence_3 = { 65006500 3200 57 006500 3100 7100 }
            // n = 6, score = 100
            //   65006500             | add                 byte ptr gs:[ebp], ah
            //   3200                 | xor                 al, byte ptr [eax]
            //   57                   | push                edi
            //   006500               | add                 byte ptr [ebp], ah
            //   3100                 | xor                 dword ptr [eax], eax
            //   7100                 | jno                 2

        $sequence_4 = { 65007700 3100 3300 65007700 45 00fc }
            // n = 6, score = 100
            //   65007700             | add                 byte ptr gs:[edi], dh
            //   3100                 | xor                 dword ptr [eax], eax
            //   3300                 | xor                 eax, dword ptr [eax]
            //   65007700             | add                 byte ptr gs:[edi], dh
            //   45                   | inc                 ebp
            //   00fc                 | add                 ah, bh

        $sequence_5 = { 005100 004701 00ac0677007700 3100 7700 3300 51 }
            // n = 7, score = 100
            //   005100               | add                 byte ptr [ecx], dl
            //   004701               | add                 byte ptr [edi + 1], al
            //   00ac0677007700       | add                 byte ptr [esi + eax + 0x770077], ch
            //   3100                 | xor                 dword ptr [eax], eax
            //   7700                 | ja                  2
            //   3300                 | xor                 eax, dword ptr [eax]
            //   51                   | push                ecx

        $sequence_6 = { 7700 7700 650032 005100 57 005700 7700 }
            // n = 7, score = 100
            //   7700                 | ja                  2
            //   7700                 | ja                  2
            //   650032               | add                 byte ptr gs:[edx], dh
            //   005100               | add                 byte ptr [ecx], dl
            //   57                   | push                edi
            //   005700               | add                 byte ptr [edi], dl
            //   7700                 | ja                  2

        $sequence_7 = { 3100 3300 3200 57 005100 3100 }
            // n = 6, score = 100
            //   3100                 | xor                 dword ptr [eax], eax
            //   3300                 | xor                 eax, dword ptr [eax]
            //   3200                 | xor                 al, byte ptr [eax]
            //   57                   | push                edi
            //   005100               | add                 byte ptr [ecx], dl
            //   3100                 | xor                 dword ptr [eax], eax

        $sequence_8 = { 0033 0031 0032 0031 006500 3300 3100 }
            // n = 7, score = 100
            //   0033                 | add                 byte ptr [ebx], dh
            //   0031                 | add                 byte ptr [ecx], dh
            //   0032                 | add                 byte ptr [edx], dh
            //   0031                 | add                 byte ptr [ecx], dh
            //   006500               | add                 byte ptr [ebp], ah
            //   3300                 | xor                 eax, dword ptr [eax]
            //   3100                 | xor                 dword ptr [eax], eax

        $sequence_9 = { 007700 45 005700 3100 65007700 }
            // n = 5, score = 100
            //   007700               | add                 byte ptr [edi], dh
            //   45                   | inc                 ebp
            //   005700               | add                 byte ptr [edi], dl
            //   3100                 | xor                 dword ptr [eax], eax
            //   65007700             | add                 byte ptr gs:[edi], dh

    condition:
        7 of them and filesize < 11395072
}
Download all Yara Rules