xenorat | 34ab005b549534dba9a83d9346e1618a18ecee2c99a93079551634f9480b2b79 | Triage

Submit
Reports

Overview

overview

Static

static

3

GXBuilder.exe

windows7-x64

GXBuilder.exe

windows10-2004-x64

GXBuilder.exe

windows11-21h2-x64

Sharing

General

Target

GXBuilder.exe
Size

12.6MB
Sample

240427-hwpabsde42
MD5

f9e4ae00290e5259c78ba11b4c851417
SHA1

247b5c812136a40f85c106ca6441315b123f625e
SHA256

34ab005b549534dba9a83d9346e1618a18ecee2c99a93079551634f9480b2b79
SHA512

5dfce7ed791e0b44d218142d6075ecf009f186c57e02fcf5675945c2329058750cc308f8730fa0f0188b4291d9a63a8357a070c103431d32aadb345783c1ddb1
SSDEEP

196608:/i76SDEa0mOCb5xm4J15iY5XBx9vjnWmf58eOt6dp2wGSECksB579u5gnynV:/imJa0mN/p1599vjnXVd9pl5Ggn

Score

10^/10

xenorat zgrat evasion persistence pyinstaller rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

GXBuilder.exe

Resource

win7-20231129-en

xenorat zgrat evasion persistence pyinstaller rat trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

GXBuilder.exe

Resource

win10v2004-20240419-en

windows10-2004-x64

2 signatures

150 seconds

Behavioral task

behavioral3

Sample

GXBuilder.exe

Resource

win11-20240419-en

xenorat zgrat evasion persistence pyinstaller rat trojan

windows11-21h2-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes

delay
5000
install_path
temp
port
45010
startup_name
WindowsErrorHandler

Targets

- Target
  
  GXBuilder.exe
- Size
  
  12.6MB
- MD5
  
  f9e4ae00290e5259c78ba11b4c851417
- SHA1
  
  247b5c812136a40f85c106ca6441315b123f625e
- SHA256
  
  34ab005b549534dba9a83d9346e1618a18ecee2c99a93079551634f9480b2b79
- SHA512
  
  5dfce7ed791e0b44d218142d6075ecf009f186c57e02fcf5675945c2329058750cc308f8730fa0f0188b4291d9a63a8357a070c103431d32aadb345783c1ddb1
- SSDEEP
  
  196608:/i76SDEa0mOCb5xm4J15iY5XBx9vjnWmf58eOt6dp2wGSECksB579u5gnynV:/imJa0mN/p1599vjnXVd9pl5Ggn
Score

10^/10

xenorat zgrat evasion persistence pyinstaller rat trojan
- Detect ZGRat V1
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Creates new service(s)
  persistence
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xenoratzgratevasionpersistencepyinstallerrattrojan

behavioral2

behavioral3

xenoratzgratevasionpersistencepyinstallerrattrojan

© 2018-2024

Terms | Privacy