xenorat | e62a6f77fab09529a64f2e5f356c514217ea88ec2dcacf8ad037ac7fc2fddea5

General

Target

ASDASD.exe
Size

45KB
MD5

748bfff2a909d92412d8400e7a86dbda
SHA1

77bdcf2b5232b3c3eb0b6d2525d6f140cd0a92b1
SHA256

e62a6f77fab09529a64f2e5f356c514217ea88ec2dcacf8ad037ac7fc2fddea5
SHA512

1b19d3e50ce090d7f181d74ccf94b8444f7bee76669dc199389a2a0ec46a9ca09f9884b466cb62d3dc75cdb07d47005ad724005b4f4b2fabd5a8998d543a663d
SSDEEP

768:VdhO/poiiUcjlJInhwH9Xqk5nWEZ5SbTDaDWI7CPW5m:rw+jjgnqH9XqcnW85SbTSWIu

Score

10^/10

xenorat rat spyware stealer trojan

Malware Config

Extracted

Family

xenorat

C2

choice-certainly.gl.at.ply.gg

Mutex

xeno_42344554563443

Attributes

delay
5000
install_path
appdata
port
24253
startup_name
system

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Executes dropped EXE 1 IoCs

Processes:

ASDASD.exe

pid process

2908 ASDASD.exe
Loads dropped DLL 1 IoCs

Processes:

ASDASD.exe

pid process

2012 ASDASD.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2536 schtasks.exe

pid	process
2012	ASDASD.exe

pid	process
2536	schtasks.exe

Modifies registry class 10 IoCs

Processes:

ASDASD.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell\Open\command	ASDASD.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell	ASDASD.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell\Open	ASDASD.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell\Open	ASDASD.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell	ASDASD.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings	ASDASD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell\Open\command\DelegateExecute	ASDASD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\XenoManager\\ASDASD.exe\""	ASDASD.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell\Open\command	ASDASD.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings	ASDASD.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ASDASD.exe

pid	process
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ASDASD.exe

description pid process

Token: SeDebugPrivilege 2908 ASDASD.exe

description	pid	process
Token: SeDebugPrivilege	2908	ASDASD.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ASDASD.exeASDASD.exe

description	pid	process	target process
PID 2012 wrote to memory of 2908	2012	ASDASD.exe	ASDASD.exe
PID 2012 wrote to memory of 2908	2012	ASDASD.exe	ASDASD.exe
PID 2012 wrote to memory of 2908	2012	ASDASD.exe	ASDASD.exe
PID 2012 wrote to memory of 2908	2012	ASDASD.exe	ASDASD.exe
PID 2908 wrote to memory of 2536	2908	ASDASD.exe	schtasks.exe
PID 2908 wrote to memory of 2536	2908	ASDASD.exe	schtasks.exe
PID 2908 wrote to memory of 2536	2908	ASDASD.exe	schtasks.exe
PID 2908 wrote to memory of 2536	2908	ASDASD.exe	schtasks.exe
PID 2908 wrote to memory of 2860	2908	ASDASD.exe	cmd.exe
PID 2908 wrote to memory of 2860	2908	ASDASD.exe	cmd.exe
PID 2908 wrote to memory of 2860	2908	ASDASD.exe	cmd.exe
PID 2908 wrote to memory of 2860	2908	ASDASD.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ASDASD.exe
"C:\Users\Admin\AppData\Local\Temp\ASDASD.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Roaming\XenoManager\ASDASD.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\ASDASD.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "system" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D00.tmp" /F
3⤵
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\cmd.exe
cmd /c start "" "%windir%\system32\fodhelper.exe"
3⤵
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3D00.tmp
Filesize
1KB

MD5
ffe469e0dcbd6034267652c079e9f6e5

SHA1
6d75ff1e2a8c84c5e2dfed54b25ed4b724d527a2

SHA256
497e61ebdb3b43b5b52d005fe3d98dd31860cd9dcfb731608a6eb4c84d1cf8fa

SHA512
e94455c5c5bc869d1e90c5c145bb33f48fdbda9a9448dfc95c719f9fbb60fdd0509fbc3f5ffda3926c9c35145c9f4218a545649e1f4bfcf5829f6a708f4922ba

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\ASDASD.exe
Filesize
45KB

MD5
748bfff2a909d92412d8400e7a86dbda

SHA1
77bdcf2b5232b3c3eb0b6d2525d6f140cd0a92b1

SHA256
e62a6f77fab09529a64f2e5f356c514217ea88ec2dcacf8ad037ac7fc2fddea5

SHA512
1b19d3e50ce090d7f181d74ccf94b8444f7bee76669dc199389a2a0ec46a9ca09f9884b466cb62d3dc75cdb07d47005ad724005b4f4b2fabd5a8998d543a663d

Download Submit
memory/2012-10-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/2012-0-0x0000000000040000-0x0000000000052000-memory.dmp

Filesize
72KB

Download
memory/2012-1-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-11-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-9-0x0000000001110000-0x0000000001122000-memory.dmp

Filesize
72KB

Download
memory/2908-14-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/2908-15-0x00000000060D0000-0x00000000061CA000-memory.dmp

Filesize
1000KB

Download
memory/2908-31-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-32-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/2908-33-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/2908-34-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2908-35-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads