Overview

overview

10

Static

static

10

Loader.exe

windows7-x64

10

Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-03-2024 08:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    46KB

  • MD5

    75fdbc2d379d84adacfc0f521d88dd59

  • SHA1

    3a441c75c212a970b1acf547ff67d36e5b3b2767

  • SHA256

    990565da28fb5ee5655a3723add532743334ba88efc998c891344b17549d88aa

  • SHA512

    f6140ded24561c64c4f6722f88209c18cdec8e7b643b3de3777a3ba1390fc440eadfc272dff97a9d7ae040e72797d55ee662ed26df1da2ada4da96c9e071bb64

  • SSDEEP

    768:DdhO/poiiUcjlJInIwH9Xqk5nWEZ5SbTDa7WI7CPW5+:Rw+jjgnhH9XqcnW85SbTyWIG

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

192.168.178.23

Mutex

Windows_Client_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    Discord Update

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Users\Admin\AppData\Roaming\XenoManager\Loader.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\Loader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Discord Update" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A7A.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2A7A.tmp
    Filesize

    1KB

    MD5

    98ec19a37c08a1707467b39a05d92fc8

    SHA1

    f530e07fc098aa26f0b5c7ff7f481c35794a18f0

    SHA256

    df1c791bbfb73bb139e5c3002e7adba14af7a131d3877ed1d0e0ca19bd4a6fbc

    SHA512

    1cf644d7654609eaa85580c48d89e8c2b78feaa378e5447f5c3c11d8c5fc501353aca6c73c4beb4641f816833b06faa59a9c450bfe97e27c5f7f1a8dfde59701

    Download Submit

  • \Users\Admin\AppData\Roaming\XenoManager\Loader.exe
    Filesize

    46KB

    MD5

    75fdbc2d379d84adacfc0f521d88dd59

    SHA1

    3a441c75c212a970b1acf547ff67d36e5b3b2767

    SHA256

    990565da28fb5ee5655a3723add532743334ba88efc998c891344b17549d88aa

    SHA512

    f6140ded24561c64c4f6722f88209c18cdec8e7b643b3de3777a3ba1390fc440eadfc272dff97a9d7ae040e72797d55ee662ed26df1da2ada4da96c9e071bb64

    Download Submit

  • memory/1264-0-0x0000000000B90000-0x0000000000BA2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1264-1-0x0000000074B00000-0x00000000751EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1264-10-0x0000000074B00000-0x00000000751EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-9-0x00000000002C0000-0x00000000002D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3048-11-0x0000000074B00000-0x00000000751EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-14-0x0000000004390000-0x00000000043D0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3048-15-0x0000000074B00000-0x00000000751EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-16-0x0000000004390000-0x00000000043D0000-memory.dmp

    Filesize

    256KB

    Download