Overview

overview

10

Static

static

3

GXBuilder.exe

windows7-x64

10

GXBuilder.exe

windows10-2004-x64

GXBuilder.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    GXBuilder.exe

  • Size

    12.6MB

  • Sample

    240427-hwpabsde42

  • MD5

    f9e4ae00290e5259c78ba11b4c851417

  • SHA1

    247b5c812136a40f85c106ca6441315b123f625e

  • SHA256

    34ab005b549534dba9a83d9346e1618a18ecee2c99a93079551634f9480b2b79

  • SHA512

    5dfce7ed791e0b44d218142d6075ecf009f186c57e02fcf5675945c2329058750cc308f8730fa0f0188b4291d9a63a8357a070c103431d32aadb345783c1ddb1

  • SSDEEP

    196608:/i76SDEa0mOCb5xm4J15iY5XBx9vjnWmf58eOt6dp2wGSECksB579u5gnynV:/imJa0mN/p1599vjnXVd9pl5Ggn

Score
10/10
xenoratzgratevasionpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    45010

  • startup_name

    WindowsErrorHandler

Targets

    • Target

      GXBuilder.exe

    • Size

      12.6MB

    • MD5

      f9e4ae00290e5259c78ba11b4c851417

    • SHA1

      247b5c812136a40f85c106ca6441315b123f625e

    • SHA256

      34ab005b549534dba9a83d9346e1618a18ecee2c99a93079551634f9480b2b79

    • SHA512

      5dfce7ed791e0b44d218142d6075ecf009f186c57e02fcf5675945c2329058750cc308f8730fa0f0188b4291d9a63a8357a070c103431d32aadb345783c1ddb1

    • SSDEEP

      196608:/i76SDEa0mOCb5xm4J15iY5XBx9vjnWmf58eOt6dp2wGSECksB579u5gnynV:/imJa0mN/p1599vjnXVd9pl5Ggn

    Score
    10/10
    xenoratzgratevasionpersistencepyinstallerrattrojan

    • Detect ZGRat V1

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Creates new service(s)

      persistence

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks