David García Nov 21, 2017 28 min read

New banking malware in Brazil - XPCTRA RAT ANALYSIS

At the end of September 2017 an article was published about the presence of a Spy Banker malware called XPCTRA (Expectra).

Its goals are those of any banking malware:

  • Steal bank credentials
  • Get information to continue to spread

buguroo's Labs did a thorough analysis and reached the conclusion that this is simply a small modification of an already-existing malware. Therefore, in this post we are only analyzing the new aspects it has incorporated. 

The star of this show is the binary with sha256: 98337ca50d0cac2fab4566a39c6149328889bb06a6dd56a4c2a66cbea326138c.

In the initial analysis we observed that its structure is fairly similar to the QuasarRAT family. This can be seen when the structure of the binary analyzed in this post is compared to the typical QuasarRAT malware structure compiled with the default options of the code published in github.There are some small differences due to the fact that the code published in github is a more recent version. 

BinaryStructure.pngIlustration 1. Structure of the binary being studied 


Illustration 2. QuasarRAT structure 


Throughout its execution and use, it refers to a series of parameters it calls “settings” that allow us to track all of the actions it anticipates in more detail: 


Ilustration 3. The binary’s settings



The first thing it does is install itself in the victim’s computer, and to do this it uses a digital certificate to intercept https traffic.

It may happen that the certificate is already installed in the user’s computer. If this is the case, the malicious code will jump directly to the bank credentials theft phase.

If one isn’t already installed, it generates a certificate and installs it using the certutil system tool:

“certutil –addstore \Root\$Variable_Path\fiddlerRoot.cet”

If the installation produces errors, it seeks to create a certificate through the screen resolution of the victim’s computer. To identify the real screen resolution, it closes any browsers that may be open: firefox.exe, chrome.exe or iexplore.exe and ends their execution using this command:

“taskkill /f /im $Nombre_proceso.exe”

Once it has the screen resolution, it generates the certificate using the originals mouse positions, as shown below:


Illustration 4. Certificate coordinates

Once installed, it begins collecting data from the machine that is infected, searching for the following data:

  • Name of the infected machine 
  • User name
  • Machine architecture
  • Directory where the executable program is located
  • Path to the Temp folder
  • Screen resolution
  • The device’s Mac Address
  • Whether it has any of the plugins for Banco do Brasil or Caixa Económica Federal installed.
  • Whether there is an antivirus installed in the machine.


Illustration 5. Information collected from the device 

When it has the information it was seeking, it achieves persistence in the system, elevating privileges. To do this, it adds a key in the Windows registry that checks for its presence each time the binary run is initiated:

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run”


And to attempt to elevate privileges there, first it creates a user with the user name “user” and the password “!@c4rnic3ir0!@”. It attempts to give administrator privileges to this user as well as adding it to the group of those users who can connect to the device remotely.


With the persistence achieved and with the permissions it considers necessary, it informs the control panel that there is a new infected user.

To do this, it sends the infected machine’s information by means of a request to the control panel (C&C):


Illustration 6. Information in the control panel 

After notifying the control panel that there is a new infection, the malware attempts to find the user’s geographical location. And to achieve this, it sends requests to the following websites where it can obtain the public IP address, together with its geolocation:

  • http://ip-api.com/json
  • http://api.ipify.org

This is the end of its installation and execution, and it goes on to the next step: exploitation.


Bank credentials theft

To steal bank credentials, the malware checks the URL address that the infected user accesses through the browser.

To protect itself in its search, if it detects that the user is browsing on an antivirus page or that there are antivirus processes being executed in the system, or even if the computer is connected to another website that might lead to the malware being detected, the malware shows a 404 error with a message indicating that the website is temporarily unavailable.


Illustration 7. URLs that the malware tries to avoid 

The complete list of URLs that it detects and blocks with the 404 error message are listed below:


If it rules out the above list, it goes on to check whether the user is going onto any target URL, to rob the bank credentials. The target URLs are as follows:


Regarding the target URL, if the user goes onto one of the Banco do Brasil or Caixa Económica Federal bank pages, the malware behaves differently..

For these cases, the malware checks whether these files exist in the system: 

  • LockBB.txt for Banco do Brasil
  • LockCef.txt for Caixa Económica Federal

These files are created by the malware when the attacker order to block the access to the online banking site. On this file the malware writes the current datetime (day, month and hour). This data is used to block the access to the banking site for the next 24 hours. If the user tries to access, the message "The page is under maintenance" will be displayed.

The regular expression with the day, month and time that the blocking for the theft will take place is written into the file.


When a user tries to gain access to one of the target pages, the malware sends the following information:

  • IP Addess
  • Machine Name
  • Type
  • MAC Address
  • Target Name

After the notification, the cybercriminal may carry out any of the following actions: 

  • Close the connection with the target URL.
  • Send the cookies pertaining to the site the user attempted to connect to, generating a file with an sqlite extension.
  • Cause the user to be shown a screen requesting they enter the access password.
  • Block access to the bank for 24 hours, creating a LockBB.txt or LockCef.txt file.

The malware runs the tasks to begin to behave like the RATQuasar, so that the cybercriminal can take control of the infected machine. This confirms our initial suspicions that this is a modification of that malware.  

For the second case, in which the target URLs are not Banco do Brasil or Caixa Económica Federal, the malware shows a screen with a fake login to try to rob the bank credentials from the infected user and send them to the cybercriminal. If the URL does not coincide with any of those listed among the targets, it checks whether the URL corresponds to any of the following:

If it coincides with one of these, the malware steals the email and password entered by the user, as well as the service the user accessed, and saves them in a file named “E-Vit.txt” that it will use later.


Information theft so it can spread

After the theft has been carried out, the malware’s next task is to spread and infect other users.

It searches for various files with specific extensions, looking for email addresses it can send a spam email to in order to infect other users who are connected to the victim.

This process is carried out as follows:

In the same folder where the malware has copied itself there are 3 folders that it will use in this phase:

  • Enviado.txt: file containing a list of emails that have already been sent the spam.
  • E-Enviar.txt: file containing a list of emails that the spam will be sent to..
  • E-Vit.txt: file containing the access credentials for different email services, which have been stolen from the infected user and will be used to do the spam mailing. 

To do this, it recovers the route information for the following directories:

  • Desktop folder
  • User’s personal folder 
  • C:\\

The malware lists all the files present in each of the above directories and checks whether any of them contain the following extensions:

  • Txt
  • Doc
  • Dat
  • Wab
  • Xlxs

The malware will add all the email addresses to the “E-Enviar.txt” file, which can be found where the binary is running. When it has completed the search for emails in the victim’s computer, it checks whether the E-enviar.txt and E-Vit.txt files exist. If they are both present, the malware checks that the emails found in E-Enviar.txt are not already present in the Enviado.txt file.

The malware connects with the Spam email template and fills it in with the email addresses it has obtained:



Once the email has been sent to the potential victim, the email address is added to the Enviado.txt file to better track the campaign. 

Finally, the malware notifies the control panel (C&C) of all the email addresses the spam email was sent to. 



IOCS from this campaign: We can see how 3 different Command and Controls (C&C) were identified from the different samples. 


First Submission on VT SHA256
2017-08-22 18:38:34 ab0e78800174f62725411de5425e8322f76f678f2706da595e7e2fe17a6daa91
2017-08-11 04:43:21 98337ca50d0cac2fab4566a39c6149328889bb06a6dd56a4c2a66cbea326138c
2017-08-31 04:34:17 4e5080b3abf246077c87c88ef0030eba23f9b54c78774ff5afb987bcd6797c6a
2017-10-26 04:39:51 1c955b144dba3b47cc87f57ce256fe31a596ae358ad039a9a8761e359d837579
2017-09-21 04:47:23 1d861adba18935ca4fed4af0d0b1afe31000238afca0d300e0e68583039acb23
2017-09-22 16:58:00 2e9d2f0ce97c91e598f6b84f937136c7ca151bdb8dfce56d2f67571637d53134
2017-09-28 04:52:33 e8d965991bcb7f6a48273ba8c133c9b9c0f14247dcce75aaab0c763bd03e0dd4



First Submission on VT SHA256
2017-09-21 22:09:12 8332c91467f480e47eb1b02a5a2a06b97af309579dbfce35b9578ff259cfcd8d
2017-09-22 22:22:55 d8309bc9317c96f1cf9d9cce9562c8c639556a13b28085bd3d3e0e487190f670
2017-09-25 15:11:32 92ff4d1348acb90876351db4e9ee329a2882bb8478cadd812e5d93351518aae1
2017-09-23 08:35:08 886c6466214496f944abd4de83a01773647184efcc4f385a6c26f1b2dda81636
2017-09-25 15:11:39 a2a6dc9ddfd5f1bbf7134b8ea9a9ec268cefdada109b52272f3fd2d0c3e3a19c
2017-09-25 15:11:40 fb608cf015648a9bdcc34fa6a2cf6fa22c74ed6bdaf3d852c6d401cee83f6413



(Versión más actual del QuasarRAT que coincide con la estructura mostrada al principio del documento)

First Submission on VT SHA256
2017-08-04 20:55:03 e8847241f72b910a266341e060354e762c88143e5e370bf4e1e6c87445a7bd7d
2017-08-18 11:17:59 b4562318d4a76c0f33ae7def723a438f55c66b9c94e5629694e62eb45b3d87fc
2017-07-20 01:17:16 c704eff77103feaa95ade3fa6b840f081f7333adc9f0c32748400bc9612fb2be
2017-07-15 02:08:00 c7567c3034eb48ca51fcd5a55414fbe8015cdc8824367a669d2cb45404e4bf97
2017-09-03 10:43:06 a6dc1bc8cf227dc7340329c37dc8fb683901a6534b9e8bd6371e2c93842409b5


You might be interested in our malware trends report for 2021


David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.