xenorat | 13f183db5e4f7cbdef0673b81f35e99b712c08c6c545152ab0f8ee1ac140a8b5 | Triage

Sharing

General

Target

AuthClient.exe
Size

45KB
Sample

240324-vceyrsge6y
MD5

9f3540bc47fad7d3e44b77bd7d393cb9
SHA1

75a3c191551c6e2383a889e19944999dcaca082e
SHA256

13f183db5e4f7cbdef0673b81f35e99b712c08c6c545152ab0f8ee1ac140a8b5
SHA512

465a5b0f1ddaee38fd5c28cbcc9d69489146a816d3420ed1a7ea2c0f0816b0f9a0b8f40fe88680af324404ed97db95ad8e236d06a2ea144d1c5fc8791f7226c7
SSDEEP

768:7dhO/poiiUcjlJInkwH9Xqk5nWEZ5SbTDaHWI7CPW5p:pw+jjgnFH9XqcnW85SbTOWIh

Score

10^/10

xenorat persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xenorat

C2

Vallithebest-32755.portmap.host

Mutex

Xeno_rat_nd8912d

Attributes

delay
2000
install_path
temp
port
32755
startup_name
AuthClient

Targets

- Target
  
  AuthClient.exe
- Size
  
  45KB
- MD5
  
  9f3540bc47fad7d3e44b77bd7d393cb9
- SHA1
  
  75a3c191551c6e2383a889e19944999dcaca082e
- SHA256
  
  13f183db5e4f7cbdef0673b81f35e99b712c08c6c545152ab0f8ee1ac140a8b5
- SHA512
  
  465a5b0f1ddaee38fd5c28cbcc9d69489146a816d3420ed1a7ea2c0f0816b0f9a0b8f40fe88680af324404ed97db95ad8e236d06a2ea144d1c5fc8791f7226c7
- SSDEEP
  
  768:7dhO/poiiUcjlJInkwH9Xqk5nWEZ5SbTDaHWI7CPW5p:pw+jjgnFH9XqcnW85SbTOWIh
Score

10^/10

xenorat persistence rat spyware stealer trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratpersistenceratspywarestealertrojan

behavioral2

xenoratratspywarestealertrojan

behavioral3

xenoratratspywarestealertrojan