xenorat | 1316e22fe1e9b3d4a9c42362c21bca74598cdc11eae27282a29871fb98ab0b38 | Triage

Submit
Reports

Overview

overview

Static

static

3

AudinoBuilder.exe

windows11-21h2-x64

Resubmissions

11-05-2024 19:51

240511-ykvkzahc78 10

11-05-2024 19:45

240511-ygfmmsec3y 10

11-05-2024 18:50

240511-xhabksfa93 10

Sharing

General

Target

AudinoBuilder.exe
Size

5.6MB
Sample

240511-ygfmmsec3y
MD5

c4cb065184458a9e05b7c893642f9b3c
SHA1

36327e2e82c26c3d39dcc51569c08c624c90ae20
SHA256

1316e22fe1e9b3d4a9c42362c21bca74598cdc11eae27282a29871fb98ab0b38
SHA512

2e9809bce89db2566c7aa9143afc5c818cc2765ea6c0ab2e8d583aac7a7b1cca5d601b5ecb8cc676221118ab2b8b333eea7fad614f5150ae95c76b979388faa4
SSDEEP

98304:lKAVWycWWgSj67/ngnLqAABRvCrnVAo3tH/Gfz7H7YzA4AzRP2HjdgW0NaBFV:8TylWgSj6DnDvRKrnVAoBQHHkERPPW0K

Score

10^/10

xenorat zgrat evasion execution persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

AudinoBuilder.exe

Resource

win11-20240426-en

xenorat zgrat evasion execution persistence rat trojan

windows11-21h2-x64

24 signatures

300 seconds

Malware Config

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
45010
startup_name
ErrorManager

Targets

- Target
  
  AudinoBuilder.exe
- Size
  
  5.6MB
- MD5
  
  c4cb065184458a9e05b7c893642f9b3c
- SHA1
  
  36327e2e82c26c3d39dcc51569c08c624c90ae20
- SHA256
  
  1316e22fe1e9b3d4a9c42362c21bca74598cdc11eae27282a29871fb98ab0b38
- SHA512
  
  2e9809bce89db2566c7aa9143afc5c818cc2765ea6c0ab2e8d583aac7a7b1cca5d601b5ecb8cc676221118ab2b8b333eea7fad614f5150ae95c76b979388faa4
- SSDEEP
  
  98304:lKAVWycWWgSj67/ngnLqAABRvCrnVAo3tH/Gfz7H7YzA4AzRP2HjdgW0NaBFV:8TylWgSj6DnDvRKrnVAoBQHHkERPPW0K
Score

10^/10

xenorat zgrat evasion execution persistence rat trojan
- Detect ZGRat V1
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

xenoratzgratevasionexecutionpersistencerattrojan

© 2018-2024

Terms | Privacy