xenorat | 3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7

General

Target

3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
Size

243KB
MD5

0e9b2c5f8304300edb087bc435bd0ae2
SHA1

05818c31d64d6766f7d641cdac52a7782c7af31f
SHA256

3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7
SHA512

cd25dd9493eb46ea4b76a46e227894b20146c6cb2ad432a6b163c1dcc602be16b0c941ca06e1a5685ec8e1bdb186b07af6bf37c07e9f0a2a015c28bbb1ccebad
SSDEEP

6144:6/uCoiIRe9955vZCfIuCNVj5D8Rv7cmlBNCdG1O3ppufUsTI:6/uCo9eP55vZoWv5AVlBNCdG1O3ppufW

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

dns.requimacofradian.site

Mutex

Xeno_rat_nd8818g

Attributes

delay
60000
install_path
appdata
port
1243
startup_name
uic

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Detects executables packed with ConfuserEx Mod 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1936-1-0x00000000003F0000-0x0000000000436000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1936-3-0x00000000005A0000-0x00000000005E0000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Suspicious use of SetThreadContext 3 IoCs

Processes:

3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe

description	pid	process	target process
PID 1936 set thread context of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 set thread context of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 set thread context of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe

description pid process

Token: SeDebugPrivilege 1936 3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe

description	pid	process
Token: SeDebugPrivilege	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe

C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
"C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
2⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
2⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
C:\Users\Admin\AppData\Local\Temp\3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
2⤵
PID:2620

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1936-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/1936-1-0x00000000003F0000-0x0000000000436000-memory.dmp

Filesize
280KB

Download
memory/1936-2-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1936-3-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/1936-4-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/1936-5-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/1936-9-0x0000000074950000-0x000000007503E000-memory.dmp

Filesize
6.9MB

Download
memory/2560-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

description	pid	process	target process
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2560	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2572	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe
PID 1936 wrote to memory of 2620	1936	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe	3442baf899fcdef2f78165a69ad2c10a77576d0b0bae94f15a41341b01ad32b7.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads