XpertRAT (Malware Family)

XpertRAT

VTCollection
According to PCrisk, XpertRAT is a Remote Administration Trojan, a malicious program that allows cyber criminals to remotely access and control infected computers. Typically, users download and install this software inadvertently because they are tricked. By having computers infected with malware such as XpertRAT, users can experience serious problems.
References

2021-04-21 ⋅ Talos ⋅ Vanja Svajcer
A year of Fajan evolution and Bloomberg themed campaigns
MASS Logger Nanocore RAT NetWire RC Revenge RAT XpertRAT
2018-12-18 ⋅ K7 Security ⋅ Lokesh J
Scumbag Combo: Agent Tesla and XpertRAT
XpertRAT
2018-03-12 ⋅ Veronica Valeros' Blog ⋅ Veronica Valeros
A Study of RATs: Third Timeline Iteration
XpertRAT
Yara Rules

[TLP:WHITE] win_xpertrat_auto (20260504 | Detects win.xpertrat.)
rule win_xpertrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.xpertrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff08 40 0430 ff0a 4c 000c00 }
            // n = 6, score = 200
            //   ff08                 | dec                 dword ptr [eax]
            //   40                   | inc                 eax
            //   0430                 | add                 al, 0x30
            //   ff0a                 | dec                 dword ptr [edx]
            //   4c                   | dec                 esp
            //   000c00               | add                 byte ptr [eax + eax], cl

        $sequence_1 = { 008a3800cc1c 5e 006c70ff 0808 008f38001b26 001b 0d002a2364 }
            // n = 7, score = 200
            //   008a3800cc1c         | add                 byte ptr [edx + 0x1ccc0038], cl
            //   5e                   | pop                 esi
            //   006c70ff             | add                 byte ptr [eax + esi*2 - 1], ch
            //   0808                 | or                  byte ptr [eax], cl
            //   008f38001b26         | add                 byte ptr [edi + 0x261b0038], cl
            //   001b                 | add                 byte ptr [ebx], bl
            //   0d002a2364           | or                  eax, 0x64232a00

        $sequence_2 = { 001b 0d002a2364 ff08 0800 }
            // n = 4, score = 200
            //   001b                 | add                 byte ptr [ebx], bl
            //   0d002a2364           | or                  eax, 0x64232a00
            //   ff08                 | dec                 dword ptr [eax]
            //   0800                 | or                  byte ptr [eax], al

        $sequence_3 = { ff05???????? 000d???????? 0878ff 0d98000700 6e 74ff }
            // n = 6, score = 200
            //   ff05????????         |                     
            //   000d????????         |                     
            //   0878ff               | or                  byte ptr [eax - 1], bh
            //   0d98000700           | or                  eax, 0x70098
            //   6e                   | outsb               dx, byte ptr [esi]
            //   74ff                 | je                  1

        $sequence_4 = { 000d???????? 0870ff 0d80000700 0474 ff0478 }
            // n = 5, score = 200
            //   000d????????         |                     
            //   0870ff               | or                  byte ptr [eax - 1], dh
            //   0d80000700           | or                  eax, 0x70080
            //   0474                 | add                 al, 0x74
            //   ff0478               | inc                 dword ptr [eax + edi*2]

        $sequence_5 = { 0000 ae 045c ff4d40 ff08 40 }
            // n = 6, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   045c                 | add                 al, 0x5c
            //   ff4d40               | dec                 dword ptr [ebp + 0x40]
            //   ff08                 | dec                 dword ptr [eax]
            //   40                   | inc                 eax

        $sequence_6 = { 0000 00a1cc004400 0bc0 7402 }
            // n = 4, score = 200
            //   0000                 | add                 byte ptr [eax], al
            //   00a1cc004400         | add                 byte ptr [ecx + 0x4400cc], ah
            //   0bc0                 | or                  eax, eax
            //   7402                 | je                  4

        $sequence_7 = { 6c 70ff 0808 008a3800cc1c }
            // n = 4, score = 200
            //   6c                   | insb                byte ptr es:[edi], dx
            //   70ff                 | jo                  1
            //   0808                 | or                  byte ptr [eax], cl
            //   008a3800cc1c         | add                 byte ptr [edx + 0x1ccc0038], cl

        $sequence_8 = { ff15???????? 83bbd800000001 8d83fc000000 898534f6ffff }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   83bbd800000001       | cmp                 dword ptr [ebx + 0xd8], 1
            //   8d83fc000000         | lea                 eax, [ebx + 0xfc]
            //   898534f6ffff         | mov                 dword ptr [ebp - 0x9cc], eax

        $sequence_9 = { ff15???????? 83bd1cffffff00 7505 e9???????? }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   83bd1cffffff00       | cmp                 dword ptr [ebp - 0xe4], 0
            //   7505                 | jne                 7
            //   e9????????           |                     

        $sequence_10 = { ff15???????? 83bd8cfeffff00 0f84b0050000 c745fc0a000000 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   83bd8cfeffff00       | cmp                 dword ptr [ebp - 0x174], 0
            //   0f84b0050000         | je                  0x5b6
            //   c745fc0a000000       | mov                 dword ptr [ebp - 4], 0xa

        $sequence_11 = { ff15???????? 83bd8cfeffff00 7405 e9???????? }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   83bd8cfeffff00       | cmp                 dword ptr [ebp - 0x174], 0
            //   7405                 | je                  7
            //   e9????????           |                     

        $sequence_12 = { ff15???????? 83bd70ffffff00 0f84ca010000 c745fc1a000000 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   83bd70ffffff00       | cmp                 dword ptr [ebp - 0x90], 0
            //   0f84ca010000         | je                  0x1d0
            //   c745fc1a000000       | mov                 dword ptr [ebp - 4], 0x1a

        $sequence_13 = { ff15???????? 83bbd800000001 0f8546010000 8d4dd8 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   83bbd800000001       | cmp                 dword ptr [ebx + 0xd8], 1
            //   0f8546010000         | jne                 0x14c
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]

        $sequence_14 = { ff15???????? 83bc24a000000005 7c0c 5f }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   83bc24a000000005     | cmp                 dword ptr [esp + 0xa0], 5
            //   7c0c                 | jl                  0xe
            //   5f                   | pop                 edi

        $sequence_15 = { ff15???????? 83bb9400000001 8d83b8000000 89853cf6ffff 8985b4fcffff c785acfcffff03400000 0f8533010000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   83bb9400000001       | cmp                 dword ptr [ebx + 0x94], 1
            //   8d83b8000000         | lea                 eax, [ebx + 0xb8]
            //   89853cf6ffff         | mov                 dword ptr [ebp - 0x9c4], eax
            //   8985b4fcffff         | mov                 dword ptr [ebp - 0x34c], eax
            //   c785acfcffff03400000     | mov    dword ptr [ebp - 0x354], 0x4003
            //   0f8533010000         | jne                 0x139

    condition:
        7 of them and filesize < 8560640
}
Download all Yara Rules
XpertRAT Propose Change

References

Yara Rules

XpertRAT
