General

  • Target

    Dekontu.rar

  • Size

    907B

  • Sample

    240503-p8pvysfh9y

  • MD5

    39bf85a0d2fb776ed4ff33f64fe9073c

  • SHA1

    143c14d63d254437a01e76bb82ebefebc5b6f097

  • SHA256

    881ce6908e060231a797a1db1700ac66a2a58822cfcf8b932ff83a96833a8ceb

  • SHA512

    772441f74cda6b6e46ca9aa32b7a568bf4d63df49c62cf08cae9513a3e95b82236a06ba6422d70f53716af0bc01e09c6fa3dd71fe3e0b17bcde76a0a69264707

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://www.dobiamfollollc.online/konzjrngodznhitsthjfxjydtjytddy/uiuGJRSgfzjzdgzdghstRgsgtesht/cfhfcg.pif

Extracted

Family

xenorat

C2

dns.requimacofradian.site

Mutex

Xeno_rat_nd8818g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1243

  • startup_name

    uic

Targets

    • Target

      Dekontu/Odeme -(Mayis).lnk.lnk

    • Size

      2KB

    • MD5

      2ad899ef7b0d361186d8487950b7e167

    • SHA1

      151d04d656e68152cc2116b0837331a7df30eb27

    • SHA256

      2ebd9ab34d58f221ce2034b9f43ad8b128fbc683dab962fbf6222b4eef2a3618

    • SHA512

      2a84054d0f22a042eb2390dba4831eea02700334531e09a3e4ce3b7ca0db71d12ea7d0de30b19280ac0fe746002f4fc96a4904832c81b3dac6647c4a9a50b39b

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks