xenorat | e62a6f77fab09529a64f2e5f356c514217ea88ec2dcacf8ad037ac7fc2fddea5

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ASDASD.exe
Size

45KB
MD5

748bfff2a909d92412d8400e7a86dbda
SHA1

77bdcf2b5232b3c3eb0b6d2525d6f140cd0a92b1
SHA256

e62a6f77fab09529a64f2e5f356c514217ea88ec2dcacf8ad037ac7fc2fddea5
SHA512

1b19d3e50ce090d7f181d74ccf94b8444f7bee76669dc199389a2a0ec46a9ca09f9884b466cb62d3dc75cdb07d47005ad724005b4f4b2fabd5a8998d543a663d
SSDEEP

768:VdhO/poiiUcjlJInhwH9Xqk5nWEZ5SbTDaDWI7CPW5m:rw+jjgnqH9XqcnW85SbTSWIu

Score

10^/10

xenorat rat spyware stealer trojan

Malware Config

Extracted

Family

xenorat

choice-certainly.gl.at.ply.gg

Mutex

xeno_42344554563443

Attributes

delay
5000
install_path
appdata
port
24253
startup_name
system

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 1 IoCs

pid	Process
2908	ASDASD.exe

Loads dropped DLL 1 IoCs

pid	Process
2012	ASDASD.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2536	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell\Open\command	ASDASD.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell	ASDASD.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell\Open	ASDASD.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell\Open	ASDASD.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell	ASDASD.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings	ASDASD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell\Open\command\DelegateExecute	ASDASD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\XenoManager\\ASDASD.exe\""	ASDASD.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\Shell\Open\command	ASDASD.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings	ASDASD.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe
2908	ASDASD.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	ASDASD.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2908	2012	ASDASD.exe	28
PID 2012 wrote to memory of 2908	2012	ASDASD.exe	28
PID 2012 wrote to memory of 2908	2012	ASDASD.exe	28
PID 2012 wrote to memory of 2908	2012	ASDASD.exe	28
PID 2908 wrote to memory of 2536	2908	ASDASD.exe	29
PID 2908 wrote to memory of 2536	2908	ASDASD.exe	29
PID 2908 wrote to memory of 2536	2908	ASDASD.exe	29
PID 2908 wrote to memory of 2536	2908	ASDASD.exe	29
PID 2908 wrote to memory of 2860	2908	ASDASD.exe	34
PID 2908 wrote to memory of 2860	2908	ASDASD.exe	34
PID 2908 wrote to memory of 2860	2908	ASDASD.exe	34
PID 2908 wrote to memory of 2860	2908	ASDASD.exe	34

C:\Users\Admin\AppData\Local\Temp\ASDASD.exe
"C:\Users\Admin\AppData\Local\Temp\ASDASD.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Roaming\XenoManager\ASDASD.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\ASDASD.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "system" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D00.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:2536
- - C:\Windows\system32\cmd.exe
    cmd /c start "" "%windir%\system32\fodhelper.exe"
    3⤵
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3D00.tmp

Filesize
1KB

MD5
ffe469e0dcbd6034267652c079e9f6e5

SHA1
6d75ff1e2a8c84c5e2dfed54b25ed4b724d527a2

SHA256
497e61ebdb3b43b5b52d005fe3d98dd31860cd9dcfb731608a6eb4c84d1cf8fa

SHA512
e94455c5c5bc869d1e90c5c145bb33f48fdbda9a9448dfc95c719f9fbb60fdd0509fbc3f5ffda3926c9c35145c9f4218a545649e1f4bfcf5829f6a708f4922ba

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\ASDASD.exe

Filesize
45KB

MD5
748bfff2a909d92412d8400e7a86dbda

SHA1
77bdcf2b5232b3c3eb0b6d2525d6f140cd0a92b1

SHA256
e62a6f77fab09529a64f2e5f356c514217ea88ec2dcacf8ad037ac7fc2fddea5

SHA512
1b19d3e50ce090d7f181d74ccf94b8444f7bee76669dc199389a2a0ec46a9ca09f9884b466cb62d3dc75cdb07d47005ad724005b4f4b2fabd5a8998d543a663d

Download Submit
memory/2012-10-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/2012-0-0x0000000000040000-0x0000000000052000-memory.dmp

Filesize
72KB

Download
memory/2012-1-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-11-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-9-0x0000000001110000-0x0000000001122000-memory.dmp

Filesize
72KB

Download
memory/2908-14-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/2908-15-0x00000000060D0000-0x00000000061CA000-memory.dmp

Filesize
1000KB

Download
memory/2908-31-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/2908-32-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/2908-33-0x00000000006C0000-0x0000000000700000-memory.dmp

Filesize
256KB

Download
memory/2908-34-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2908-35-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download