Overview

overview

10

Static

static

10

plswork.exe

windows7-x64

10

plswork.exe

windows10-2004-x64

10

plswork.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    plswork.exe

  • Size

    45KB

  • Sample

    240511-tyrc9afd6y

  • MD5

    0964e2756ab7939430b382c4c748a4b6

  • SHA1

    3d367eb27f86dd5e306b7d8919592dcef10a3465

  • SHA256

    83f595dd0fa6b285fa753613b8bdf936f080ecf0b9689bf9705e5079868fbe2e

  • SHA512

    5d7b2be37baf03d240115ff75f77b5e5e6157e92fe52f31b4b35debc21765aa46a3467e2b75901f1a78b43b5cbc1ca894d85da1ccafe9cc8c8ebf97e7841955b

  • SSDEEP

    768:OdhO/poiiUcjlJInYTwH9Xqk5nWEZ5SbTDaSWI7CPW5p:Yw+jjgnJH9XqcnW85SbTLWIR

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

ayumi-38161.portmap.host

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    3000

  • install_path

    temp

  • port

    38161

  • startup_name

    nothingset

Targets

    • Target

      plswork.exe

    • Size

      45KB

    • MD5

      0964e2756ab7939430b382c4c748a4b6

    • SHA1

      3d367eb27f86dd5e306b7d8919592dcef10a3465

    • SHA256

      83f595dd0fa6b285fa753613b8bdf936f080ecf0b9689bf9705e5079868fbe2e

    • SHA512

      5d7b2be37baf03d240115ff75f77b5e5e6157e92fe52f31b4b35debc21765aa46a3467e2b75901f1a78b43b5cbc1ca894d85da1ccafe9cc8c8ebf97e7841955b

    • SSDEEP

      768:OdhO/poiiUcjlJInYTwH9Xqk5nWEZ5SbTDaSWI7CPW5p:Yw+jjgnJH9XqcnW85SbTLWIR

    Score
    10/10
    xenoratrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks