Overview

overview

10

Static

static

10

0x00070000...12.exe

windows7-x64

10

0x00070000...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2024 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x000700000002327c-112.exe

  • Size

    45KB

  • MD5

    838b98ebbd662c0f4e5cc5cbcafa2cfa

  • SHA1

    58ff94e92c2548f87a9284a0ac5cea0d472309e0

  • SHA256

    5649336f36c1479f2b2a499a7555743579c4d0ec64ffdaf41c8d8090ae94964a

  • SHA512

    a4505475953c0bb5614bc0468defdc550401e758230d8b9c65332aed2f07a7f31ba968d462718a6bf2de825903d84203946e8c085edceb6148fae88b1a48233c

  • SSDEEP

    768:ZdhO/poiiUcjlJInyHqH9Xqk5nWEZ5SbTDadWI7CPW5Q:Xw+jjgnVH9XqcnW85SbTEWI4

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

puredgb.duckdns.org

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    Fobus.exe

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000700000002327c-112.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000700000002327c-112.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Roaming\XenoManager\0x000700000002327c-112.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\0x000700000002327c-112.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Fobus.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A19.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:3176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4A19.tmp
    Filesize

    1KB

    MD5

    8a6874238bd731c08d8b6ccc32efd9db

    SHA1

    6995531c5fecf8a03a165b1538e7106838e0dfc6

    SHA256

    d866249249d6df920205d3ca40001211eef0f7d76a305a0950d7cb44fa8046b3

    SHA512

    faa34c78f921884484922cd6cebbcda213dc1cc1dd0f6c70a922f0934008a0370d76fd1959f14956e777477e828cffc857850406e28b692a7cf955fa98d44aba

    Download Submit
  • C:\Users\Admin\AppData\Roaming\XenoManager\0x000700000002327c-112.exe
    Filesize

    45KB

    MD5

    838b98ebbd662c0f4e5cc5cbcafa2cfa

    SHA1

    58ff94e92c2548f87a9284a0ac5cea0d472309e0

    SHA256

    5649336f36c1479f2b2a499a7555743579c4d0ec64ffdaf41c8d8090ae94964a

    SHA512

    a4505475953c0bb5614bc0468defdc550401e758230d8b9c65332aed2f07a7f31ba968d462718a6bf2de825903d84203946e8c085edceb6148fae88b1a48233c

    Download Submit
  • memory/3212-1-0x0000000074B80000-0x0000000075330000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3212-0-0x00000000004C0000-0x00000000004D2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3212-15-0x0000000074B80000-0x0000000075330000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4680-14-0x0000000074B80000-0x0000000075330000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4680-16-0x0000000004F00000-0x0000000004F10000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4680-19-0x0000000005A20000-0x0000000005A86000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4680-20-0x00000000059D0000-0x00000000059DC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/4680-21-0x00000000063C0000-0x0000000006964000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4680-22-0x0000000005EF0000-0x0000000005F82000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4680-23-0x0000000006080000-0x000000000608A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4680-24-0x0000000074B80000-0x0000000075330000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4680-25-0x0000000004F00000-0x0000000004F10000-memory.dmp
    Filesize

    64KB

    Download