SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xpertrat (Back to overview)

XpertRAT


According to PCrisk, XpertRAT is a Remote Administration Trojan, a malicious program that allows cyber criminals to remotely access and control infected computers. Typically, users download and install this software inadvertently because they are tricked. By having computers infected with malware such as XpertRAT, users can experience serious problems.

References
2021-04-21TalosVanja Svajcer
@online{svajcer:20210421:year:4741c8e, author = {Vanja Svajcer}, title = {{A year of Fajan evolution and Bloomberg themed campaigns}}, date = {2021-04-21}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html}, language = {English}, urldate = {2021-04-28} } A year of Fajan evolution and Bloomberg themed campaigns
MASS Logger Nanocore RAT NetWire RC Revenge RAT XpertRAT
2018-12-18K7 SecurityLokesh J
@online{j:20181218:scumbag:720cb3c, author = {Lokesh J}, title = {{Scumbag Combo: Agent Tesla and XpertRAT}}, date = {2018-12-18}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=15672}, language = {English}, urldate = {2020-01-06} } Scumbag Combo: Agent Tesla and XpertRAT
XpertRAT
2018-03-12Veronica Valeros' BlogVeronica Valeros
@online{valeros:20180312:study:73a8b6b, author = {Veronica Valeros}, title = {{A Study of RATs: Third Timeline Iteration}}, date = {2018-03-12}, organization = {Veronica Valeros' Blog}, url = {https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration}, language = {English}, urldate = {2020-01-10} } A Study of RATs: Third Timeline Iteration
XpertRAT
Yara Rules
[TLP:WHITE] win_xpertrat_auto (20230715 | Detects win.xpertrat.)
rule win_xpertrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.xpertrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 007168 ff0468 ff0a 250004003c }
            // n = 4, score = 200
            //   007168               | add                 byte ptr [ecx + 0x68], dh
            //   ff0468               | inc                 dword ptr [eax + ebp*2]
            //   ff0a                 | dec                 dword ptr [edx]
            //   250004003c           | and                 eax, 0x3c000400

        $sequence_1 = { 0878ff 0d98000700 6e 74ff }
            // n = 4, score = 200
            //   0878ff               | or                  byte ptr [eax - 1], bh
            //   0d98000700           | or                  eax, 0x70098
            //   6e                   | outsb               dx, byte ptr [esi]
            //   74ff                 | je                  1

        $sequence_2 = { 001b 0d002a2364 ff08 0800 }
            // n = 4, score = 200
            //   001b                 | add                 byte ptr [ebx], bl
            //   0d002a2364           | or                  eax, 0x64232a00
            //   ff08                 | dec                 dword ptr [eax]
            //   0800                 | or                  byte ptr [eax], al

        $sequence_3 = { 006c70ff 0808 008f38001b26 001b }
            // n = 4, score = 200
            //   006c70ff             | add                 byte ptr [eax + esi*2 - 1], ch
            //   0808                 | or                  byte ptr [eax], cl
            //   008f38001b26         | add                 byte ptr [edi + 0x261b0038], cl
            //   001b                 | add                 byte ptr [ebx], bl

        $sequence_4 = { 0d80000700 0474 ff0478 ff05???????? 000d???????? 0878ff 0d98000700 }
            // n = 7, score = 200
            //   0d80000700           | or                  eax, 0x70080
            //   0474                 | add                 al, 0x74
            //   ff0478               | inc                 dword ptr [eax + edi*2]
            //   ff05????????         |                     
            //   000d????????         |                     
            //   0878ff               | or                  byte ptr [eax - 1], bh
            //   0d98000700           | or                  eax, 0x70098

        $sequence_5 = { ff0a 250004003c 6c 70ff 0808 008a3800cc1c 5e }
            // n = 7, score = 200
            //   ff0a                 | dec                 dword ptr [edx]
            //   250004003c           | and                 eax, 0x3c000400
            //   6c                   | insb                byte ptr es:[edi], dx
            //   70ff                 | jo                  1
            //   0808                 | or                  byte ptr [eax], cl
            //   008a3800cc1c         | add                 byte ptr [edx + 0x1ccc0038], cl
            //   5e                   | pop                 esi

        $sequence_6 = { 0000 00a1cc004400 0bc0 7402 ffe0 68???????? b8???????? }
            // n = 7, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   00a1cc004400         | add                 byte ptr [ecx + 0x4400cc], ah
            //   0bc0                 | or                  eax, eax
            //   7402                 | je                  4
            //   ffe0                 | jmp                 eax
            //   68????????           |                     
            //   b8????????           |                     

        $sequence_7 = { ff4d40 ff08 40 0430 ff0a }
            // n = 5, score = 200
            //   ff4d40               | dec                 dword ptr [ebp + 0x40]
            //   ff08                 | dec                 dword ptr [eax]
            //   40                   | inc                 eax
            //   0430                 | add                 al, 0x30
            //   ff0a                 | dec                 dword ptr [edx]

        $sequence_8 = { f6c180 7425 81e1ff000000 8b550c }
            // n = 4, score = 100
            //   f6c180               | test                cl, 0x80
            //   7425                 | je                  0x27
            //   81e1ff000000         | and                 ecx, 0xff
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_9 = { f6c10e 8945e8 743b f70700000080 }
            // n = 4, score = 100
            //   f6c10e               | test                cl, 0xe
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   743b                 | je                  0x3d
            //   f70700000080         | test                dword ptr [edi], 0x80000000

        $sequence_10 = { f6c301 740c 8b5510 8b0e }
            // n = 4, score = 100
            //   f6c301               | test                bl, 1
            //   740c                 | je                  0xe
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_11 = { f6c302 740c 8b4d10 8b06 }
            // n = 4, score = 100
            //   f6c302               | test                bl, 2
            //   740c                 | je                  0xe
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8b06                 | mov                 eax, dword ptr [esi]

        $sequence_12 = { f645fc04 7409 8d4de8 ff15???????? 8d55c4 8d45d4 52 }
            // n = 7, score = 100
            //   f645fc04             | test                byte ptr [ebp - 4], 4
            //   7409                 | je                  0xb
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   ff15????????         |                     
            //   8d55c4               | lea                 edx, [ebp - 0x3c]
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   52                   | push                edx

        $sequence_13 = { f6c301 741b 8b4e04 8b07 }
            // n = 4, score = 100
            //   f6c301               | test                bl, 1
            //   741b                 | je                  0x1d
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_14 = { f645fc04 740c 8d45d0 50 }
            // n = 4, score = 100
            //   f645fc04             | test                byte ptr [ebp - 4], 4
            //   740c                 | je                  0xe
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   50                   | push                eax

        $sequence_15 = { f68564ffffff02 0f84ae0b0000 83ec10 b903400000 }
            // n = 4, score = 100
            //   f68564ffffff02       | test                byte ptr [ebp - 0x9c], 2
            //   0f84ae0b0000         | je                  0xbb4
            //   83ec10               | sub                 esp, 0x10
            //   b903400000           | mov                 ecx, 0x4003

    condition:
        7 of them and filesize < 8560640
}
Download all Yara Rules