xenorat | c6869ec4d346b01fb2a17166558038d66840cbe7a4e4a26a2e9a6d29225e699d | Triage

Sharing

General

Target

neverlosecrack laucher.exe
Size

45KB
Sample

240513-w9c14shb8t
MD5

4a0a8d2a6a0c3a9b727296563cb71690
SHA1

b764251a6d82e236c5f652b8a43e5c86c89b8985
SHA256

c6869ec4d346b01fb2a17166558038d66840cbe7a4e4a26a2e9a6d29225e699d
SHA512

67b68497b3206376a0d364400bfe065fd13f834aced15645afc4315a9097a3e03784eab746a37e11ea4c61f7174998ddb85461d7544b1df350cc12c0def872cc
SSDEEP

768:BdhO/poiiUcjlJInJr6BH9Xqk5nWEZ5SbTDaTuI7CPW5Q:/w+jjgniH9XqcnW85SbT2uI4

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

0.tcp.eu.ngrok.io

Mutex

radnom123_34X41

Attributes

delay
5000
install_path
appdata
port
14119
startup_name
window system

Targets

- Target
  
  neverlosecrack laucher.exe
- Size
  
  45KB
- MD5
  
  4a0a8d2a6a0c3a9b727296563cb71690
- SHA1
  
  b764251a6d82e236c5f652b8a43e5c86c89b8985
- SHA256
  
  c6869ec4d346b01fb2a17166558038d66840cbe7a4e4a26a2e9a6d29225e699d
- SHA512
  
  67b68497b3206376a0d364400bfe065fd13f834aced15645afc4315a9097a3e03784eab746a37e11ea4c61f7174998ddb85461d7544b1df350cc12c0def872cc
- SSDEEP
  
  768:BdhO/poiiUcjlJInJr6BH9Xqk5nWEZ5SbTDaTuI7CPW5Q:/w+jjgniH9XqcnW85SbT2uI4
Score

10^/10

xenorat rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratrattrojan

behavioral2

xenoratrattrojan