Overview

overview

10

Static

static

10

Dekont-Mayis.exe

windows7-x64

10

Dekont-Mayis.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6d05d5e5310b31e26aaf54e7297f0f199056c92545c3b2602367dcdb67c761d0.zip

  • Size

    209KB

  • Sample

    240515-btm6xsac7s

  • MD5

    911cbc95cc2e6f3dde112dd932a85768

  • SHA1

    0e1c1bb30e49a90ab1935bb22656f30d79a19eb9

  • SHA256

    6d05d5e5310b31e26aaf54e7297f0f199056c92545c3b2602367dcdb67c761d0

  • SHA512

    1a00cb41e3bf65b075fa707b6ff14e93e0a968da175683536c12aac634390049560696e0678fb6ba59840057f54fdc7d8f76afc4d8c8c4ec90c9d61ab38cf7c7

  • SSDEEP

    6144:xG2x2neJf5QvtMpiSgIwS86GvvsMP1i8W/aCMpI9:x6eJf5mMppgIwS+vxPWJ

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes
  • delay

    61000

  • install_path

    appdata

  • port

    1283

  • startup_name

    bns

Targets

    • Target

      Dekont-Mayis.exe

    • Size

      242KB

    • MD5

      33f2e874128d3a24588e1c89927042bd

    • SHA1

      e206af96ff648951608eaf599627635ddff7ecd8

    • SHA256

      fbb251f9916a362e527e962c4e2b0950f75de2226f3e3092813fa35eb6392bb7

    • SHA512

      559dc3f6a0f9a6e762545b9683e265e4459b8623786c979c959d5d78dff7f4455fed72135fcccc966c10ba3d3588fcbf077a44091e3012743245dc41bfd1b3c5

    • SSDEEP

      6144:gRRan2neJf5QvtapiSgICS86G3vsMP1i8FvEOPDv5bq1RFI:gRTeJf5mappgICS+3xPFvrPDv5bq1I

    Score
    10/10
    xenoratrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Detects executables packed with ConfuserEx Mod

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks