Overview

overview

10

Static

static

10

0x00070000...12.exe

windows7-x64

10

0x00070000...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2024, 09:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x000700000002327c-112.exe

  • Size

    45KB

  • MD5

    838b98ebbd662c0f4e5cc5cbcafa2cfa

  • SHA1

    58ff94e92c2548f87a9284a0ac5cea0d472309e0

  • SHA256

    5649336f36c1479f2b2a499a7555743579c4d0ec64ffdaf41c8d8090ae94964a

  • SHA512

    a4505475953c0bb5614bc0468defdc550401e758230d8b9c65332aed2f07a7f31ba968d462718a6bf2de825903d84203946e8c085edceb6148fae88b1a48233c

  • SSDEEP

    768:ZdhO/poiiUcjlJInyHqH9Xqk5nWEZ5SbTDadWI7CPW5Q:Xw+jjgnVH9XqcnW85SbTEWI4

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

puredgb.duckdns.org

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    Fobus.exe

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000700000002327c-112.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000700000002327c-112.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Users\Admin\AppData\Roaming\XenoManager\0x000700000002327c-112.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\0x000700000002327c-112.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Fobus.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A19.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:3176

Network

  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    41.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.134.221.88.in-addr.arpa
    IN PTR
    Response
    41.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    6.181.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    6.181.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    puredgb.duckdns.org
    0x000700000002327c-112.exe
    Remote address:
    8.8.8.8:53
    Request
    puredgb.duckdns.org
    IN A
    Response
    puredgb.duckdns.org
    IN A
    200.165.100.3
  • flag-us
    DNS
    3.100.165.200.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    3.100.165.200.in-addr.arpa
    IN PTR
    Response
    3.100.165.200.in-addr.arpa
    IN PTR
    200-165-100-3user3p veloxzonecombr
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    40.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    40.134.221.88.in-addr.arpa
    IN PTR
    Response
    40.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-40deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 200.165.100.3:4444
    puredgb.duckdns.org
    0x000700000002327c-112.exe
    824 B
     695 B
     12
    11
  • 200.165.100.3:4444
    puredgb.duckdns.org
    0x000700000002327c-112.exe
    7.3kB
     11.5kB
     119
    226
  • 200.165.100.3:4444
    puredgb.duckdns.org
    0x000700000002327c-112.exe
    6.3kB
     6.5kB
     69
    127
  • 200.165.100.3:4444
    puredgb.duckdns.org
    0x000700000002327c-112.exe
    1.1kB
     14.4kB
     20
    21
  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    41.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    41.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    6.181.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    6.181.190.20.in-addr.arpa

  • 8.8.8.8:53
    puredgb.duckdns.org
    dns
    0x000700000002327c-112.exe
    65 B
     81 B
     1
    1

    DNS Request

    puredgb.duckdns.org

    DNS Response

    200.165.100.3

  • 8.8.8.8:53
    3.100.165.200.in-addr.arpa
    dns
    72 B
     123 B
     1
    1

    DNS Request

    3.100.165.200.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    40.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    40.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4A19.tmp
    Filesize

    1KB

    MD5

    8a6874238bd731c08d8b6ccc32efd9db

    SHA1

    6995531c5fecf8a03a165b1538e7106838e0dfc6

    SHA256

    d866249249d6df920205d3ca40001211eef0f7d76a305a0950d7cb44fa8046b3

    SHA512

    faa34c78f921884484922cd6cebbcda213dc1cc1dd0f6c70a922f0934008a0370d76fd1959f14956e777477e828cffc857850406e28b692a7cf955fa98d44aba

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XenoManager\0x000700000002327c-112.exe
    Filesize

    45KB

    MD5

    838b98ebbd662c0f4e5cc5cbcafa2cfa

    SHA1

    58ff94e92c2548f87a9284a0ac5cea0d472309e0

    SHA256

    5649336f36c1479f2b2a499a7555743579c4d0ec64ffdaf41c8d8090ae94964a

    SHA512

    a4505475953c0bb5614bc0468defdc550401e758230d8b9c65332aed2f07a7f31ba968d462718a6bf2de825903d84203946e8c085edceb6148fae88b1a48233c

    Download Submit

  • memory/3212-1-0x0000000074B80000-0x0000000075330000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3212-0-0x00000000004C0000-0x00000000004D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3212-15-0x0000000074B80000-0x0000000075330000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4680-14-0x0000000074B80000-0x0000000075330000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4680-16-0x0000000004F00000-0x0000000004F10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4680-19-0x0000000005A20000-0x0000000005A86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4680-20-0x00000000059D0000-0x00000000059DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4680-21-0x00000000063C0000-0x0000000006964000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4680-22-0x0000000005EF0000-0x0000000005F82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4680-23-0x0000000006080000-0x000000000608A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4680-24-0x0000000074B80000-0x0000000075330000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4680-25-0x0000000004F00000-0x0000000004F10000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.