xenorat | 4edcb51c961470638828b8f48a0259fb4b9645192f0b30e1d79b789c9b4c4d7f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-03-2024 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b4ced1e11fac0306ee8d9411aea4219.exe
Size

45KB
MD5

0b4ced1e11fac0306ee8d9411aea4219
SHA1

254c74fa4b822381dfb2d258ad77b9935ad619c6
SHA256

4edcb51c961470638828b8f48a0259fb4b9645192f0b30e1d79b789c9b4c4d7f
SHA512

76d0b8d66a84ac66b6ba6a08ad5e2e9ee1f9893c182b4e1be1f236a69bdbeb91139a1b8936e87eb2fed44627f5afc63a30404e279d840a27e5de0926a7a07eed
SSDEEP

768:tdhO/poiiUcjlJInLzo4mH9Xqk5nWEZ5SbTDaoWI7CPW5V:jw+jjgnw4mH9XqcnW85SbTJWId

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

217.63.234.90

Mutex

Xeno_rat_nd8912ddd

Attributes

delay
3500
install_path
appdata
port
8808
startup_name
svchost.exe

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 1 IoCs

pid	Process
2980	0b4ced1e11fac0306ee8d9411aea4219.exe

Loads dropped DLL 1 IoCs

pid	Process
1964	0b4ced1e11fac0306ee8d9411aea4219.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2592	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2980	1964	0b4ced1e11fac0306ee8d9411aea4219.exe	28
PID 1964 wrote to memory of 2980	1964	0b4ced1e11fac0306ee8d9411aea4219.exe	28
PID 1964 wrote to memory of 2980	1964	0b4ced1e11fac0306ee8d9411aea4219.exe	28
PID 1964 wrote to memory of 2980	1964	0b4ced1e11fac0306ee8d9411aea4219.exe	28
PID 2980 wrote to memory of 2592	2980	0b4ced1e11fac0306ee8d9411aea4219.exe	29
PID 2980 wrote to memory of 2592	2980	0b4ced1e11fac0306ee8d9411aea4219.exe	29
PID 2980 wrote to memory of 2592	2980	0b4ced1e11fac0306ee8d9411aea4219.exe	29
PID 2980 wrote to memory of 2592	2980	0b4ced1e11fac0306ee8d9411aea4219.exe	29

C:\Users\Admin\AppData\Local\Temp\0b4ced1e11fac0306ee8d9411aea4219.exe
"C:\Users\Admin\AppData\Local\Temp\0b4ced1e11fac0306ee8d9411aea4219.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Roaming\XenoManager\0b4ced1e11fac0306ee8d9411aea4219.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\0b4ced1e11fac0306ee8d9411aea4219.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF8B.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF8B.tmp

Filesize
1KB

MD5
d685e81a4021b0fdb2a815ea7152e088

SHA1
26b5ba5236125e919697f5650ce7c09afa1c0984

SHA256
3b4c9739dcd5ed1c40bd34d3e4478e93e6136e6700f19b6100cd8130563301ab

SHA512
17ec260fa73f78df37c852cf6be32bf7ac314f6370970468c7f9dc05ce879c256303921881aab4734810225da6858b6f4940e76920a30080711d4f71add6f860

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\0b4ced1e11fac0306ee8d9411aea4219.exe

Filesize
45KB

MD5
0b4ced1e11fac0306ee8d9411aea4219

SHA1
254c74fa4b822381dfb2d258ad77b9935ad619c6

SHA256
4edcb51c961470638828b8f48a0259fb4b9645192f0b30e1d79b789c9b4c4d7f

SHA512
76d0b8d66a84ac66b6ba6a08ad5e2e9ee1f9893c182b4e1be1f236a69bdbeb91139a1b8936e87eb2fed44627f5afc63a30404e279d840a27e5de0926a7a07eed

Download Submit
memory/1964-0-0x0000000000D20000-0x0000000000D32000-memory.dmp

Filesize
72KB

Download
memory/1964-1-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-10-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-9-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/2980-11-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-14-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2980-15-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads