Malware Analysis Report

2024-08-06 18:35

Sample ID 240515-tkpx9shb66
Target valochesse.exe
SHA256 e29b6f39017aebfd1768cd55ca32c93247e95c17cea77fb3ee68368d89aecf71
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e29b6f39017aebfd1768cd55ca32c93247e95c17cea77fb3ee68368d89aecf71

Threat Level: Known bad

The file valochesse.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Xenorat family

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-15 16:07

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 16:07

Reported

2024-05-15 16:10

Platform

win10-20240404-en

Max time kernel

129s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\valochesse.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.eu.ngrok.io N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\valochesse.exe C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe
PID 2776 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\valochesse.exe C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe
PID 2776 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\valochesse.exe C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe
PID 2456 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe C:\Windows\SysWOW64\schtasks.exe
PID 2456 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe C:\Windows\SysWOW64\schtasks.exe
PID 2456 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe C:\Windows\SysWOW64\schtasks.exe
PID 2456 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe C:\Windows\SysWOW64\schtasks.exe
PID 2456 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe C:\Windows\SysWOW64\schtasks.exe
PID 2456 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe C:\Windows\SysWOW64\schtasks.exe
PID 2456 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe C:\Windows\SysWOW64\schtasks.exe
PID 2456 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe C:\Windows\SysWOW64\schtasks.exe
PID 2456 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe C:\Windows\SysWOW64\schtasks.exe
PID 2456 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2248 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 2248 wrote to memory of 1796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\valochesse.exe

"C:\Users\Admin\AppData\Local\Temp\valochesse.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "tapware" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE0C.tmp" /F

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /query /v /fo csv

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /delete /tn "\tapware" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.197.239.5:19034 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 5.239.197.18.in-addr.arpa udp
DE 18.197.239.5:19034 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:19034 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/2776-0-0x000000007395E000-0x000000007395F000-memory.dmp

memory/2776-1-0x00000000003C0000-0x00000000003D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\valochesse.exe

MD5 804fd6f013a48648f5d2232bca5bdb22
SHA1 b2e90724822c99e3b761e79990af49e824e2b76a
SHA256 e29b6f39017aebfd1768cd55ca32c93247e95c17cea77fb3ee68368d89aecf71
SHA512 86c1d6e032ccee7d8076430f44fe20ba773c064e57d1b3cd07096438989b68c8814be3f375a450202f7eca949d441474e91ccddbb37e17e690e22aac7353c025

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\valochesse.exe.log

MD5 957779c42144282d8cd83192b8fbc7cf
SHA1 de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA256 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512 f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

memory/2456-9-0x0000000073950000-0x000000007403E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDE0C.tmp

MD5 83ea5bae1b54e68e477655caab346750
SHA1 e5e75e863cb4cf2e5f1957e0be078f243c047f39
SHA256 3d56ac0067ccb6684f6980f72aa8cd2af395cf17f536549316d414b4712b0791
SHA512 e78649f8140fdcbb0f9875d0321ebe0e7cc3f4b28bfe82196f8c7ede5bc08e20a6c90ebd9dc0f8bbf01929c186fe6a62a547eea63de0269980ff3189fe3c921a

memory/2456-12-0x0000000006170000-0x00000000061D6000-memory.dmp

memory/2456-13-0x0000000073950000-0x000000007403E000-memory.dmp

memory/2456-14-0x0000000073950000-0x000000007403E000-memory.dmp

memory/2456-15-0x0000000073950000-0x000000007403E000-memory.dmp