xenorat | a704f907107e0208de4b35e93e6d435dc54fd8f28c87c84250502a2dfa5b5738 | Triage

Sharing

General

Target

2024-05-15_5b9731dc85c4c73f4fcc491a17d57fcd_ngrbot_snatch
Size

5.4MB
Sample

240515-cat1ssbe4s
MD5

5b9731dc85c4c73f4fcc491a17d57fcd
SHA1

24699fcc2df32502e959a6f918190eb1b9241319
SHA256

a704f907107e0208de4b35e93e6d435dc54fd8f28c87c84250502a2dfa5b5738
SHA512

1d0261bc229c2e8ebe3372ef6abcaf9fbe96162d8853c0b9f3c36ab77ebf3d844924d1c5571bd5b4017e227f01ca05985d6b48c4e23d41d59903d0e5ed0502b8
SSDEEP

49152:xcIa7C33IJszhP0o/eiY9iCl3miEcUD9HTxTju5EFhoRvE9Zz:qa33IGNPaiCUu0duEFSR

Score

10^/10

xenorat evasion execution rat trojan

Malware Config

Extracted

Family

xenorat

C2

69.46.15.141

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
nothingset

Targets

- Target
  
  2024-05-15_5b9731dc85c4c73f4fcc491a17d57fcd_ngrbot_snatch
- Size
  
  5.4MB
- MD5
  
  5b9731dc85c4c73f4fcc491a17d57fcd
- SHA1
  
  24699fcc2df32502e959a6f918190eb1b9241319
- SHA256
  
  a704f907107e0208de4b35e93e6d435dc54fd8f28c87c84250502a2dfa5b5738
- SHA512
  
  1d0261bc229c2e8ebe3372ef6abcaf9fbe96162d8853c0b9f3c36ab77ebf3d844924d1c5571bd5b4017e227f01ca05985d6b48c4e23d41d59903d0e5ed0502b8
- SSDEEP
  
  49152:xcIa7C33IJszhP0o/eiY9iCl3miEcUD9HTxTju5EFhoRvE9Zz:qa33IGNPaiCUu0duEFSR
Score

10^/10

xenorat evasion execution rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xenoratevasionexecutionrattrojan