Overview

overview

10

Static

static

10

fhdhdh.exe

windows7-x64

10

fhdhdh.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 00:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fhdhdh.exe

  • Size

    45KB

  • MD5

    5b9894f294eca1116e1f406021efde09

  • SHA1

    0c661572b82ac000383d7a50961d8be37e2a7e6f

  • SHA256

    dcb0a0fd16af0e786810d4dc72ed5b06cb6345769510bba2c1a48c0bb16c076c

  • SHA512

    dc907ab28bc0d4e1382151a5f9e6991cbfab9614e30eb51167a679fae8f9841ce42a098ba7b8b521415e268f868a39dceec894b3cf3e957a7b486ba847e8e099

  • SSDEEP

    768:ddhO/poiiUcjlJInXzH9Xqk5nWEZ5SbTDaPWI7CPW5N:Tw+jjgnDH9XqcnW85SbTWWIl

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

47.215.162.109

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    4567

  • startup_name

    yes

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fhdhdh.exe
    "C:\Users\Admin\AppData\Local\Temp\fhdhdh.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Admin\AppData\Local\Temp\XenoManager\fhdhdh.exe
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\fhdhdh.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "yes" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7733.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\XenoManager\fhdhdh.exe
    Filesize

    45KB

    MD5

    5b9894f294eca1116e1f406021efde09

    SHA1

    0c661572b82ac000383d7a50961d8be37e2a7e6f

    SHA256

    dcb0a0fd16af0e786810d4dc72ed5b06cb6345769510bba2c1a48c0bb16c076c

    SHA512

    dc907ab28bc0d4e1382151a5f9e6991cbfab9614e30eb51167a679fae8f9841ce42a098ba7b8b521415e268f868a39dceec894b3cf3e957a7b486ba847e8e099

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp7733.tmp
    Filesize

    1KB

    MD5

    2ecdddbc1f4248a10c7c102d3eeb0495

    SHA1

    2ec3fe591ebf587bed90d59a09a4282f3cc611d7

    SHA256

    446f4101ae2327287fc50a0097428d83f93fcd7605672a4f5b3256099e9333a4

    SHA512

    31c707e4abf096cea9cc127d67908049061ade03aab5389361915748cdf89d0f44c460c434da49619a588d7e64c03ac6c7e9f765d928750fbe3ccc5c70c88378

    Download Submit

  • memory/1704-10-0x00000000741D0000-0x00000000748BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1704-1-0x00000000741D0000-0x00000000748BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1704-0-0x0000000000210000-0x0000000000222000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2440-11-0x00000000741D0000-0x00000000748BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2440-9-0x00000000010B0000-0x00000000010C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2440-14-0x0000000001060000-0x00000000010A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2440-15-0x00000000741D0000-0x00000000748BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2440-16-0x0000000001060000-0x00000000010A0000-memory.dmp

    Filesize

    256KB

    Download