SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xpertrat (Back to overview)

XpertRAT


There is no description at this point.

References
2021-04-21TalosVanja Svajcer
@online{svajcer:20210421:year:4741c8e, author = {Vanja Svajcer}, title = {{A year of Fajan evolution and Bloomberg themed campaigns}}, date = {2021-04-21}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html}, language = {English}, urldate = {2021-04-28} } A year of Fajan evolution and Bloomberg themed campaigns
MASS Logger Nanocore RAT NetWire RC Revenge RAT XpertRAT
2018-12-18K7 SecurityLokesh J
@online{j:20181218:scumbag:720cb3c, author = {Lokesh J}, title = {{Scumbag Combo: Agent Tesla and XpertRAT}}, date = {2018-12-18}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=15672}, language = {English}, urldate = {2020-01-06} } Scumbag Combo: Agent Tesla and XpertRAT
XpertRAT
2018-03-12Veronica Valeros' BlogVeronica Valeros
@online{valeros:20180312:study:73a8b6b, author = {Veronica Valeros}, title = {{A Study of RATs: Third Timeline Iteration}}, date = {2018-03-12}, organization = {Veronica Valeros' Blog}, url = {https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration}, language = {English}, urldate = {2020-01-10} } A Study of RATs: Third Timeline Iteration
XpertRAT
Yara Rules
[TLP:WHITE] win_xpertrat_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_xpertrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0808 008a3800cc1c 5e 006c70ff }
            // n = 4, score = 200
            //   0808                 | or                  byte ptr [eax], cl
            //   008a3800cc1c         | add                 byte ptr [edx + 0x1ccc0038], cl
            //   5e                   | pop                 esi
            //   006c70ff             | add                 byte ptr [eax + esi*2 - 1], ch

        $sequence_1 = { 007168 ff0468 ff0a 250004003c }
            // n = 4, score = 200
            //   007168               | add                 byte ptr [ecx + 0x68], dh
            //   ff0468               | inc                 dword ptr [eax + ebp*2]
            //   ff0a                 | dec                 dword ptr [edx]
            //   250004003c           | and                 eax, 0x3c000400

        $sequence_2 = { 0878ff 0d98000700 6e 74ff 6e }
            // n = 5, score = 200
            //   0878ff               | or                  byte ptr [eax - 1], bh
            //   0d98000700           | or                  eax, 0x70098
            //   6e                   | outsb               dx, byte ptr [esi]
            //   74ff                 | je                  1
            //   6e                   | outsb               dx, byte ptr [esi]

        $sequence_3 = { 0000 00a1cc004400 0bc0 7402 ffe0 68???????? }
            // n = 6, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   00a1cc004400         | add                 byte ptr [ecx + 0x4400cc], ah
            //   0bc0                 | or                  eax, eax
            //   7402                 | je                  4
            //   ffe0                 | jmp                 eax
            //   68????????           |                     

        $sequence_4 = { 250004003c 6c 70ff 0808 }
            // n = 4, score = 200
            //   250004003c           | and                 eax, 0x3c000400
            //   6c                   | insb                byte ptr es:[edi], dx
            //   70ff                 | jo                  1
            //   0808                 | or                  byte ptr [eax], cl

        $sequence_5 = { 0000 ae 045c ff4d40 ff08 40 }
            // n = 6, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   045c                 | add                 al, 0x5c
            //   ff4d40               | dec                 dword ptr [ebp + 0x40]
            //   ff08                 | dec                 dword ptr [eax]
            //   40                   | inc                 eax

        $sequence_6 = { 0d80000700 0474 ff0478 ff05???????? 000d???????? 0878ff 0d98000700 }
            // n = 7, score = 200
            //   0d80000700           | or                  eax, 0x70080
            //   0474                 | add                 al, 0x74
            //   ff0478               | inc                 dword ptr [eax + edi*2]
            //   ff05????????         |                     
            //   000d????????         |                     
            //   0878ff               | or                  byte ptr [eax - 1], bh
            //   0d98000700           | or                  eax, 0x70098

        $sequence_7 = { 5e 006c70ff 0808 008f38001b26 001b 0d002a2364 ff08 }
            // n = 7, score = 200
            //   5e                   | pop                 esi
            //   006c70ff             | add                 byte ptr [eax + esi*2 - 1], ch
            //   0808                 | or                  byte ptr [eax], cl
            //   008f38001b26         | add                 byte ptr [edi + 0x261b0038], cl
            //   001b                 | add                 byte ptr [ebx], bl
            //   0d002a2364           | or                  eax, 0x64232a00
            //   ff08                 | dec                 dword ptr [eax]

        $sequence_8 = { 894658 ff15???????? 8b0e 8d55e0 52 56 ff91b0020000 }
            // n = 7, score = 100
            //   894658               | mov                 dword ptr [esi + 0x58], eax
            //   ff15????????         |                     
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8d55e0               | lea                 edx, [ebp - 0x20]
            //   52                   | push                edx
            //   56                   | push                esi
            //   ff91b0020000         | call                dword ptr [ecx + 0x2b0]

        $sequence_9 = { 7424 66833801 751e bb03000000 2b5814 3b5810 }
            // n = 6, score = 100
            //   7424                 | je                  0x26
            //   66833801             | cmp                 word ptr [eax], 1
            //   751e                 | jne                 0x20
            //   bb03000000           | mov                 ebx, 3
            //   2b5814               | sub                 ebx, dword ptr [eax + 0x14]
            //   3b5810               | cmp                 ebx, dword ptr [eax + 0x10]

        $sequence_10 = { 8b8da4feffff ff5134 85c0 dbe2 7d0f }
            // n = 5, score = 100
            //   8b8da4feffff         | mov                 ecx, dword ptr [ebp - 0x15c]
            //   ff5134               | call                dword ptr [ecx + 0x34]
            //   85c0                 | test                eax, eax
            //   dbe2                 | fnclex              
            //   7d0f                 | jge                 0x11

        $sequence_11 = { 6a02 50 56 ff9250090000 eb0f }
            // n = 5, score = 100
            //   6a02                 | push                2
            //   50                   | push                eax
            //   56                   | push                esi
            //   ff9250090000         | call                dword ptr [edx + 0x950]
            //   eb0f                 | jmp                 0x11

        $sequence_12 = { 8d4db0 ff15???????? 50 ff15???????? 8d4db0 }
            // n = 5, score = 100
            //   8d4db0               | lea                 ecx, [ebp - 0x50]
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d4db0               | lea                 ecx, [ebp - 0x50]

        $sequence_13 = { 8b4da4 6a68 68???????? 51 50 ff15???????? }
            // n = 6, score = 100
            //   8b4da4               | mov                 ecx, dword ptr [ebp - 0x5c]
            //   6a68                 | push                0x68
            //   68????????           |                     
            //   51                   | push                ecx
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_14 = { ff15???????? 8935???????? 85f6 5e 750a c705????????01000000 }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8935????????         |                     
            //   85f6                 | test                esi, esi
            //   5e                   | pop                 esi
            //   750a                 | jne                 0xc
            //   c705????????01000000     |     

        $sequence_15 = { 33d2 8a1430 8bc2 69c000000100 0f80f4030000 33d2 8a1437 }
            // n = 7, score = 100
            //   33d2                 | xor                 edx, edx
            //   8a1430               | mov                 dl, byte ptr [eax + esi]
            //   8bc2                 | mov                 eax, edx
            //   69c000000100         | imul                eax, eax, 0x10000
            //   0f80f4030000         | jo                  0x3fa
            //   33d2                 | xor                 edx, edx
            //   8a1437               | mov                 dl, byte ptr [edi + esi]

    condition:
        7 of them and filesize < 8560640
}
Download all Yara Rules