Overview

overview

10

Static

static

10

8eb8ebe002...a9.exe

windows7-x64

10

8eb8ebe002...a9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8eb8ebe00262f74321167beca9e51f62add06e4460e2f274f857e3d7664cb9a9.exe

  • Size

    242KB

  • Sample

    240515-b1f17abc63

  • MD5

    2bad7cb7d57cae21a1d45344ad5600c5

  • SHA1

    d680e5a796951f3221c7691ec9dacca28149c195

  • SHA256

    8eb8ebe00262f74321167beca9e51f62add06e4460e2f274f857e3d7664cb9a9

  • SHA512

    37afa118242b6a52efb2aab633bdffd67171bf14fdef30c50f53041caf3ff00f1b845b43c09ecf9153339235add15cfb541eb8e8610f0558814cc1f5967a22b3

  • SSDEEP

    6144:E50AnWb4TnuDma4k2QxjKnuA1iIP1p37QFSKz6lbI:E50AW8TuajMATdhQFSKz6a

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes
  • delay

    61000

  • install_path

    appdata

  • port

    1283

  • startup_name

    bns

Targets

    • Target

      8eb8ebe00262f74321167beca9e51f62add06e4460e2f274f857e3d7664cb9a9.exe

    • Size

      242KB

    • MD5

      2bad7cb7d57cae21a1d45344ad5600c5

    • SHA1

      d680e5a796951f3221c7691ec9dacca28149c195

    • SHA256

      8eb8ebe00262f74321167beca9e51f62add06e4460e2f274f857e3d7664cb9a9

    • SHA512

      37afa118242b6a52efb2aab633bdffd67171bf14fdef30c50f53041caf3ff00f1b845b43c09ecf9153339235add15cfb541eb8e8610f0558814cc1f5967a22b3

    • SSDEEP

      6144:E50AnWb4TnuDma4k2QxjKnuA1iIP1p37QFSKz6lbI:E50AW8TuajMATdhQFSKz6a

    Score
    10/10
    xenoratrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Detects executables packed with ConfuserEx Mod

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks