General

  • Target

    z51ComprobantedePago.exe

  • Size

    243KB

  • Sample

    240508-vqak7sha47

  • MD5

    d8f6115b7622aae1932adce73e6a22ae

  • SHA1

    f7cf718ab1af7a1c14788a29bddd2a9a2204a0d8

  • SHA256

    2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a

  • SHA512

    c8bb38387467b5ae0fb19d9fa5aa1086eb099de8d878ec000633daec9d27a149ed8943ec26e375d6c0799b2f32f0d72c12bb9ee78cd447fc6c855a0b75300cd6

  • SSDEEP

    6144:nmqwqSDBvqTGEi35YZcUuZhFwoc+XQ34utDPG3HWC+AgxQkWvI:nmpDBvqTGhiZcUkhCocfDe3HWC+AgxQQ

Malware Config

Extracted

Family

xenorat

C2

dns.requimacofradian.site

Mutex

Xeno_rat_nd8828g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1253

  • startup_name

    dic

Targets

    • Target

      z51ComprobantedePago.exe

    • Size

      243KB

    • MD5

      d8f6115b7622aae1932adce73e6a22ae

    • SHA1

      f7cf718ab1af7a1c14788a29bddd2a9a2204a0d8

    • SHA256

      2006d6408f92f5a66d2b62f5635eeb078fa2b4bfbd615791913cddec834ebb4a

    • SHA512

      c8bb38387467b5ae0fb19d9fa5aa1086eb099de8d878ec000633daec9d27a149ed8943ec26e375d6c0799b2f32f0d72c12bb9ee78cd447fc6c855a0b75300cd6

    • SSDEEP

      6144:nmqwqSDBvqTGEi35YZcUuZhFwoc+XQ34utDPG3HWC+AgxQkWvI:nmpDBvqTGhiZcUkhCocfDe3HWC+AgxQQ

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.