xenorat | ff6341544da4fddb3d6b82675a213c2107114f9a5ee57ad963ab38809e467971 | Triage

Sharing

General

Target

Odeme_belgesi.exe
Size

241KB
Sample

240506-l2e6dsge2y
MD5

f5df66951851f33e5035632a77c5a1cf
SHA1

e30fc11bdb5ede3a634b2c0106dc90041b5e6863
SHA256

ff6341544da4fddb3d6b82675a213c2107114f9a5ee57ad963ab38809e467971
SHA512

c0ddea4de3754d196af8096fe6de36e3b672e409cbb4ee46fd4456f3e6236aad9a70dd449a9d1ab4a601195f0c58147cedfb3355ba8b28d0109dfbb735b55d41
SSDEEP

6144:WiZukvpZlYRKu6VgVZJZosZH2I7aoFJpC3C0vArtnQQgUNbfQQUyCXcz1ychrGCm:WaumGgu6VgV/d26aoFJpHiArLgMboQDY

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

dns.requimacofradian.site

Mutex

Xeno_rat_nd8818g

Attributes

delay
60000
install_path
appdata
port
1243
startup_name
uic

Targets

- Target
  
  Odeme_belgesi.exe
- Size
  
  241KB
- MD5
  
  f5df66951851f33e5035632a77c5a1cf
- SHA1
  
  e30fc11bdb5ede3a634b2c0106dc90041b5e6863
- SHA256
  
  ff6341544da4fddb3d6b82675a213c2107114f9a5ee57ad963ab38809e467971
- SHA512
  
  c0ddea4de3754d196af8096fe6de36e3b672e409cbb4ee46fd4456f3e6236aad9a70dd449a9d1ab4a601195f0c58147cedfb3355ba8b28d0109dfbb735b55d41
- SSDEEP
  
  6144:WiZukvpZlYRKu6VgVZJZosZH2I7aoFJpC3C0vArtnQQgUNbfQQUyCXcz1ychrGCm:WaumGgu6VgV/d26aoFJpHiArLgMboQDY
Score

10^/10

xenorat rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratrattrojan

behavioral2

xenoratrattrojan