xenorat | a8a1713fd42448f33024b5631652ccaff80906a0b34060041f574b874b116d18 | Triage

Sharing

General

Target

Dekont-Mayis.exe
Size

242KB
Sample

240514-jgzcesfh33
MD5

4d4b2c3f80721a17b1933d01e0f889a8
SHA1

67222941b34301014e8e0208cefa97b86074ab67
SHA256

a8a1713fd42448f33024b5631652ccaff80906a0b34060041f574b874b116d18
SHA512

1b726882ed48a1a9b2ea9eca7e2da3c2eee7b4145f5ab012fa993a1f3f935e2cf469c7dbcf44ba771732b7a6a4ec58e8ab141dd90b23fb8b7db4bc0d68588d12
SSDEEP

6144:tkG0/qHJg+XoB9B6vP6560aZMNddbD3CmOA6d5CiN5pmwdRI:G/qHm+4B9B6X6s0aZMNrvcd5CiN5pmw

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes

delay
61000
install_path
appdata
port
1283
startup_name
bns

Targets

- Target
  
  Dekont-Mayis.exe
- Size
  
  242KB
- MD5
  
  4d4b2c3f80721a17b1933d01e0f889a8
- SHA1
  
  67222941b34301014e8e0208cefa97b86074ab67
- SHA256
  
  a8a1713fd42448f33024b5631652ccaff80906a0b34060041f574b874b116d18
- SHA512
  
  1b726882ed48a1a9b2ea9eca7e2da3c2eee7b4145f5ab012fa993a1f3f935e2cf469c7dbcf44ba771732b7a6a4ec58e8ab141dd90b23fb8b7db4bc0d68588d12
- SSDEEP
  
  6144:tkG0/qHJg+XoB9B6vP6560aZMNddbD3CmOA6d5CiN5pmwdRI:G/qHm+4B9B6X6s0aZMNrvcd5CiN5pmw
Score

10^/10

xenorat rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xenoratrattrojan

behavioral2

xenoratrattrojan