General
-
Target
valochesse.exe
-
Size
45KB
-
MD5
804fd6f013a48648f5d2232bca5bdb22
-
SHA1
b2e90724822c99e3b761e79990af49e824e2b76a
-
SHA256
e29b6f39017aebfd1768cd55ca32c93247e95c17cea77fb3ee68368d89aecf71
-
SHA512
86c1d6e032ccee7d8076430f44fe20ba773c064e57d1b3cd07096438989b68c8814be3f375a450202f7eca949d441474e91ccddbb37e17e690e22aac7353c025
-
SSDEEP
768:gdhO/poiiUcjlJInqbqmH9Xqk5nWEZ5SbTDa60WI7CPW59:Sw+jjgnIH9XqcnW85SbTx0WIl
Malware Config
Extracted
xenorat
2.tcp.eu.ngrok.io
xeno-rat
-
delay
100
-
install_path
appdata
-
port
19034
-
startup_name
tapware
Signatures
-
Xenorat family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource valochesse.exe
Files
-
valochesse.exe.exe windows:4 windows x86 arch:x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
mscoree
_CorExeMain
Sections
.text Size: 43KB - Virtual size: 42KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ