xenorat | 3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
Size

243KB
MD5

0e9b2c5f8304300edb087bc435bd0ae2
SHA1

05818c31d64d6766f7d641cdac52a7782c7af31f
SHA256

3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7
SHA512

cd25dd9493eb46ea4b76a46e227894b20146c6cb2ad432a6b163c1dcc602be16b0c941ca06e1a5685ec8e1bdb186b07af6bf37c07e9f0a2a015c28bbb1ccebad
SSDEEP

6144:6/uCoiIRe9955vZCfIuCNVj5D8Rv7cmlBNCdG1O3ppufUsTI:6/uCo9eP55vZoWv5AVlBNCdG1O3ppufW

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

dns.requimacofradian.site

Mutex

Xeno_rat_nd8818g

Attributes

delay
60000
install_path
appdata
port
1243
startup_name
uic

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Detects executables packed with ConfuserEx Mod 2 IoCs

resource	yara_rule
behavioral1/memory/1936-1-0x00000000003F0000-0x0000000000436000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1936-3-0x00000000005A0000-0x00000000005E0000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	28
PID 1936 set thread context of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	29
PID 1936 set thread context of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	28
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	28
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	28
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	28
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	28
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	28
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	28
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	28
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	28
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	29
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	29
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	29
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	29
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	29
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	29
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	29
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	29
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	29
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	30
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	30
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	30
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	30
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	30
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	30
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	30
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	30
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	30

C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
"C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
  C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
  2⤵
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
  C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
  2⤵
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
  C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
  2⤵
  PID:2620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1936-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/1936-1-0x00000000003F0000-0x0000000000436000-memory.dmp

Filesize
280KB

Download
memory/1936-2-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1936-3-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/1936-4-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/1936-5-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/1936-9-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2560-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download