xenorat | 5e5eaafb3547a91972fd42a2fb4b74f533ceedcbfcc7efa437e9f2027f4a7152

Sharing

Copy URL

Twitter E-mail

General

Target

MayhemAim.rar
Size

41.3MB
Sample

240404-srm7ksbb2y
MD5

f1515c42f9a03740cd6e73a6f7ec5d72
SHA1

c4868b8bde613aa8508ce496660720eb90c592f9
SHA256

5e5eaafb3547a91972fd42a2fb4b74f533ceedcbfcc7efa437e9f2027f4a7152
SHA512

e21434ecf50c37d5d19f78b698e45f76fee83c14e2f9171a7569c21664435734f7fa60636ae99c6fe9d91f20de09dfec166e6db468bc13800a7bedee6e6b9aa1
SSDEEP

786432:51jOnyy559/PlEMnCGT96Wv5M1kv/z8HKim92HDRUE3ItmeOYkE2U6JpM:/aNCG4hEAqX2HF9zqkNU6JpM

Score

10^/10

Malware Config

Extracted

Family

xenorat

6.tcp.ngrok.io

Mutex

fdsfdsfsdfsdfnd8912d

Attributes

delay
1000
install_path
appdata
port
17147
startup_name
Intel Processor ©

Targets

- Target
  
  MayhemAim/MayAimV1.3.EXE
- Size
  
  52.8MB
- MD5
  
  4b734573819d52ac89d637ff0f802971
- SHA1
  
  37a7c0fc457feca1e9d6faa2c216115a7894ecd2
- SHA256
  
  1518c30f9c0b3cb8374bc49e9d525e75f364bfb6b19311b9d1dfdb45f17b6308
- SHA512
  
  57e48394301a486d8aa524a679c38626e2824e127c796788fbbdccf5b5226f303fcfe910bdf1c5fe08e1ce24b3a8696772945b885642525b2a2d804c7a692016
- SSDEEP
  
  1572864:4BKda+yVUIW9s+3RLMR28kh1y3RFLVqgFsl2fok60:4vRkB8kAxqkl
Score

10^/10

xenorat persistence pyinstaller rat spyware stealer trojan upx
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1
- Target
  
  MayhemAim/README.txt
- Size
  
  197B
- MD5
  
  e4be95e0b0512b5aba854e44d9e5871f
- SHA1
  
  4645336952dc91f530b19b0e267ff6768e83ae8e
- SHA256
  
  b617deb0d2d55f73361ec88123f51852f76fc3fab1a8deb33f47c7735c742c4e
- SHA512
  
  e6ceba58606915316c9e5780e540a4d72c2ec9fe9cfeba3d66a059ad46bd9a3ae607fdb1f0b5d911e2c52981fdd2534b69082b9addbec18e7603793f5bb106ec
Score

1^/10
behavioral2 behavioral3
- Target
  
  MayhemAim/assets.dll
- Size
  
  5.1MB
- MD5
  
  773b3b72481fd8ef9b62b5ef0fe8040a
- SHA1
  
  a42cbc7aab88689e834c158b24af8722586cf1b4
- SHA256
  
  7f93fef11819a9f4b8edd342a1c2d3dbab25698ed75f9713ee1167fa2f852331
- SHA512
  
  db7d29100060afc909cbf20bcd6d9c02fc0b29d8ee32606e2d6cf18270484f2b46853cda0b495a85cc7a2e3ae4536030a25216f101dceabf2f972e3375208c38
- SSDEEP
  
  768:+UI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUI7yUIn:3
Score

1^/10
behavioral4 behavioral5
- Target
  
  MayhemAim/instructions.txt
- Size
  
  215B
- MD5
  
  fb0105493312e99b08a70edb3c163b4c
- SHA1
  
  5227b6562c797567935e4f232546b7084c11ce22
- SHA256
  
  e387ddfcf3ce7b23cf538a9908efcbd296c590291760a557793f672552a85aa3
- SHA512
  
  fd22b271599a6bc51805ddcbc14330a3684019a306ef841f1ea470b62db1300c9cbceb8b6490dd1df84d24ac8a637e51cdbf963f70c9e0da9250d12db4d20924
Score

1^/10
behavioral6 behavioral7
- Target
  
  MayhemAim/license.txt
- Size
  
  6KB
- MD5
  
  0b09566254b011d989decf0e23a902eb
- SHA1
  
  3ae5cd6be73daf418b8deee9c865cf78225838c9
- SHA256
  
  a19d58aaab15c4d0019e569d1c073d1b5286fdd37dbeee7a58a7d1ae76045ae1
- SHA512
  
  4e22e58f925879306261e5993039e1d84d87f8fecc0f9fdad534da55b6fd22be77e622a4077d8d521f7734e5535f66853d581155987e2f3607e2d386938c218b
- SSDEEP
  
  192:uEwjuKsgA4+XYdXjA+okS63vZBCSUziJm:eNs8+QRVxBRU1
Score

1^/10
behavioral8 behavioral9