Overview

overview

10

Static

static

10

Odeme -(Mayis).exe

windows7-x64

10

Odeme -(Mayis).exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a9ebf7e4670d9f014a98c83afc046b5a591edc21feeea989ec3895d4fd83390c.zip

  • Size

    209KB

  • Sample

    240515-b47y3sba61

  • MD5

    b63bcbf96badea5e34f393f72b3b4577

  • SHA1

    e26044fbf92f9a33ed02174e6ce32e250e14d90e

  • SHA256

    a9ebf7e4670d9f014a98c83afc046b5a591edc21feeea989ec3895d4fd83390c

  • SHA512

    8252344c7e0cde0b61ad384bdab1bc8e06c7f87651cd1e9a7b883dbaf80cceb0052f1318abfd5bdd02d413a9172fdef6ebe3f9cf53efac8ddbdda6e717b9a5cd

  • SSDEEP

    6144:D3UaolzBt09nG29wiGjTVxTTOkryVIoQRTq:Dk/vonqPn/TxrywRu

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes
  • delay

    61000

  • install_path

    appdata

  • port

    1283

  • startup_name

    bns

Targets

    • Target

      Odeme -(Mayis).exe

    • Size

      242KB

    • MD5

      83e7f4ab1716acc476ec084ce84861a1

    • SHA1

      64e8e30193ad042474c157865f8938d101fa4f80

    • SHA256

      3087ed281ceea401aaf8fbd45b1d8fd6d384d48d3b097dd540162efa6931727f

    • SHA512

      3958276eded5fc7b18c418b686a643f09b4a0025c87d2bf15e66b07ffd5c1ad86467a4c9b201ca1cd619a18d334ab92ed2dbb071d7ff9adb9209793403e9747f

    • SSDEEP

      6144:IpB37AhZUYolzBt09nG29wiGjTLxTiaUmWdShuTcC8ZRfdnTI:I33sONvunqPnBi6WkhuTcC8ZRfdU

    Score
    10/10
    xenoratrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Detects executables packed with ConfuserEx Mod

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks