General
-
Target
9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe
-
Size
242KB
-
Sample
240508-c2wcyagg32
-
MD5
88569a0094dafd1c5d804534cc6afde4
-
SHA1
ccf747db107b4e3a6aae1fb202b2aed36eba8bf4
-
SHA256
9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d
-
SHA512
73901b82c35d86cd547dcd7f378d914dcbdfe67b5d8691527e77dfcf9c42fc0b384e6ec527555a98de7e397904923b95ae0d5a48737f6570e6d77bf82baf4352
-
SSDEEP
6144:yEbA05j2yCleJJ2qnqnCQlTDSxL1wy1r41XaulCQGZMlIvBIEPYr+A29F4I:yEbA05jKmJ2qwkL1N1CnlnlIvBIEPYrU
Malware Config
Extracted
xenorat
dns.requimacofradian.site
Xeno_rat_nd8818g
-
delay
60000
-
install_path
appdata
-
port
1243
-
startup_name
uic
Targets
-
-
Target
9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe
-
Size
242KB
-
MD5
88569a0094dafd1c5d804534cc6afde4
-
SHA1
ccf747db107b4e3a6aae1fb202b2aed36eba8bf4
-
SHA256
9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d
-
SHA512
73901b82c35d86cd547dcd7f378d914dcbdfe67b5d8691527e77dfcf9c42fc0b384e6ec527555a98de7e397904923b95ae0d5a48737f6570e6d77bf82baf4352
-
SSDEEP
6144:yEbA05j2yCleJJ2qnqnCQlTDSxL1wy1r41XaulCQGZMlIvBIEPYr+A29F4I:yEbA05jKmJ2qwkL1N1CnlnlIvBIEPYrU
Score10/10-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Detects executables packed with ConfuserEx Mod
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-