xenorat | 9c8bf9ebe2a4086492d67929fd36c4918e7d9069d67d3aa43faf24e25cb6bfe0 | Triage

Submit
Reports

Overview

overview

Static

static

chat.exe

windows7-x64

chat.exe

windows10-2004-x64

Sharing

General

Target

chat.exe
Size

45KB
Sample

240513-s6b3vsce6y
MD5

87639df87df52ab646411f86c2fce0c3
SHA1

6d6d21dd0af987380edc0b4fafebfc6d3e5d9a1c
SHA256

9c8bf9ebe2a4086492d67929fd36c4918e7d9069d67d3aa43faf24e25cb6bfe0
SHA512

39dacf01b97b0189644533dd545594d8daa755ea6d9cd1a2b61fa4dead15e6a088edf969c1487683fb35a623ac4e22ab0ecbb72bad4e5a9e770c6f0fc986e578
SSDEEP

768:BdhO/poiiUcjlJInwr6BH9Xqk5nWEZ5SbTDaTuI7CPW5Q:/w+jjgndH9XqcnW85SbT2uI4

Score

10^/10

xenorat persistence rat trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

chat.exe

Resource

win7-20240508-en

xenorat rat trojan

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

chat.exe

Resource

win10v2004-20240508-en

xenorat persistence rat trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

xenorat

C2

0.tcp.eu.ngrok.io

Mutex

radnom123_34X41

Attributes

delay
5000
install_path
appdata
port
15597
startup_name
window system

Targets

- Target
  
  chat.exe
- Size
  
  45KB
- MD5
  
  87639df87df52ab646411f86c2fce0c3
- SHA1
  
  6d6d21dd0af987380edc0b4fafebfc6d3e5d9a1c
- SHA256
  
  9c8bf9ebe2a4086492d67929fd36c4918e7d9069d67d3aa43faf24e25cb6bfe0
- SHA512
  
  39dacf01b97b0189644533dd545594d8daa755ea6d9cd1a2b61fa4dead15e6a088edf969c1487683fb35a623ac4e22ab0ecbb72bad4e5a9e770c6f0fc986e578
- SSDEEP
  
  768:BdhO/poiiUcjlJInwr6BH9Xqk5nWEZ5SbTDaTuI7CPW5Q:/w+jjgndH9XqcnW85SbT2uI4
Score

10^/10

xenorat rat trojan persistence
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xenoratrattrojan

behavioral2

xenoratpersistencerattrojan

© 2018-2024

Terms | Privacy