xenorat | 2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132 | Triage

Submit
Reports

Overview

overview

Static

static

3

SecuriteIn...86.exe

windows7-x64

3

SecuriteIn...86.exe

windows10-2004-x64

Sharing

General

Target

[email protected]
Size

451KB
Sample

240328-lc68ksfa77
MD5

6614077c77a8182f0307a720071f2197
SHA1

06a06a6d02ad281942ed8b6890f099be54275bb2
SHA256

2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132
SHA512

26b1249631b8762d332b04ccac12faf4e52a4641efa90ff0c13596715c5ef8f4eb08c4e6e32efe551ebf3a3a432a897c33eafa9980dd12eeb65213081f3d77cb
SSDEEP

12288:QLMEalqxXblqoRX5qbfphLxaO3qX+t4SJ:cqaXNabfphLxa4w4

Score

10^/10

xenorat xmrig miner rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

[email protected]

Resource

win7-20240220-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

[email protected]

Resource

win10v2004-20240226-en

xenorat xmrig miner rat spyware stealer trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

xenorat

C2

puredgb.duckdns.org

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
Fobus.exe

Targets

- Target
  
  [email protected]
- Size
  
  451KB
- MD5
  
  6614077c77a8182f0307a720071f2197
- SHA1
  
  06a06a6d02ad281942ed8b6890f099be54275bb2
- SHA256
  
  2935daeddeb1f505cea4ad368f598ab029942d91d831b71bbe4de5284c7a3132
- SHA512
  
  26b1249631b8762d332b04ccac12faf4e52a4641efa90ff0c13596715c5ef8f4eb08c4e6e32efe551ebf3a3a432a897c33eafa9980dd12eeb65213081f3d77cb
- SSDEEP
  
  12288:QLMEalqxXblqoRX5qbfphLxaO3qX+t4SJ:cqaXNabfphLxa4w4
Score

10^/10

xenorat xmrig miner rat spyware stealer trojan
- XMRig Miner payload
  miner
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Process Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xenoratxmrigminerratspywarestealertrojan

© 2018-2025

Terms | Privacy