Overview

overview

10

Static

static

10

0f68c332d1...AS.exe

windows7-x64

10

0f68c332d1...AS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f68c332d1b8248d00a996d4dec0f8e0_NEAS.exe

  • Size

    125KB

  • MD5

    0f68c332d1b8248d00a996d4dec0f8e0

  • SHA1

    1e4eec4339472391053c44ff3c87285c5eecfc3b

  • SHA256

    e26efb84ef3e2aff4e003de0261dbd44f0c69a1f1e821ad884b8015f53411e88

  • SHA512

    f8cb34fcf4393c2e4773678522003be8af853c76e12ba0bec4408f10dd346f44bb4a2c2bc2f26b99577b4a6a64f01700e391dc058534596909614f3bb3cbd16d

  • SSDEEP

    768:Wa/jqPyqisr4dGirXAHg5rbWpwxpFZu9e7Sd/bDXNJb7bTDaHo1IV27gOVQXPS:WeNqwop8pFZu9eKjBJb7bT2o1Igb

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

213.8.116.226

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    nothingset

  • port

    4444

  • startup_name

    antivirus

Signatures

  • Detects XenoRAT malware 1 IoCs

    XenoRAT is an open-source remote access tool (RAT) developed in C#.

    rat
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f68c332d1b8248d00a996d4dec0f8e0_NEAS.exe
    "C:\Users\Admin\AppData\Local\Temp\0f68c332d1b8248d00a996d4dec0f8e0_NEAS.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "antivirus" /XML "C:\Users\Admin\AppData\Local\Temp\tmp279D.tmp" /F
      2⤵
      • Creates scheduled task(s)
      PID:2096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp279D.tmp
    Filesize

    1KB

    MD5

    541ffe4a795a6b4b0b2d085aee2f79ea

    SHA1

    f839fb7c34c19f454d1f94d66ee9b605c8abaffe

    SHA256

    aae1cfa26ddf52004d9ba311a09bba31c8bcb9b3f77dc922f4200858706612a1

    SHA512

    5823a7c672a68785976425a8f1d638ebb11738b0e57e68dc237bcd579e87f6cff6fd39add154d67c7a27c13fa6e05586d09d44a8fc06b4c0df418820f01420e3

    Download Submit

  • memory/2084-0-0x00000000742CE000-0x00000000742CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-1-0x00000000008F0000-0x0000000000916000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2084-4-0x00000000742C0000-0x00000000749AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2084-5-0x00000000742CE000-0x00000000742CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-6-0x00000000742C0000-0x00000000749AE000-memory.dmp

    Filesize

    6.9MB

    Download