xenorat | ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8 | Triage

Sharing

General

Target

Odeme -(Mayis).exe
Size

242KB
Sample

240514-jcyv4afb7z
MD5

e3194e68bfa1155b7a5d0e895f9eccf1
SHA1

99de13f1eae283988d21f9f07a2646efaf55bc6e
SHA256

ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8
SHA512

8e49b770e629983cc375899a91fb6f9981a0bc60f07a76446a933be44886e124b54864535c6050dc8792d558d636ca0ce52649786af74b88b593e61d3daf97b0
SSDEEP

6144:vUFRBdL5W/ldm/mGniJA07X7lBL/EMx4RpFLhBvuX/PFj0SP26Lzj2Y8qG+hBs7N:QvnW/4mGZ0rhd/ERRHzGPPNj2Y8qG+hI

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes

delay
61000
install_path
appdata
port
1283
startup_name
bns

Targets

- Target
  
  Odeme -(Mayis).exe
- Size
  
  242KB
- MD5
  
  e3194e68bfa1155b7a5d0e895f9eccf1
- SHA1
  
  99de13f1eae283988d21f9f07a2646efaf55bc6e
- SHA256
  
  ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8
- SHA512
  
  8e49b770e629983cc375899a91fb6f9981a0bc60f07a76446a933be44886e124b54864535c6050dc8792d558d636ca0ce52649786af74b88b593e61d3daf97b0
- SSDEEP
  
  6144:vUFRBdL5W/ldm/mGniJA07X7lBL/EMx4RpFLhBvuX/PFj0SP26Lzj2Y8qG+hBs7N:QvnW/4mGZ0rhd/ERRHzGPPNj2Y8qG+hI
Score

10^/10

xenorat rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xenoratrattrojan

behavioral2

xenoratrattrojan