xenorat | valochesse[.]exe | Triage

Sharing

General

Target

valochesse.exe
Size

45KB
MD5

804fd6f013a48648f5d2232bca5bdb22
SHA1

b2e90724822c99e3b761e79990af49e824e2b76a
SHA256

e29b6f39017aebfd1768cd55ca32c93247e95c17cea77fb3ee68368d89aecf71
SHA512

86c1d6e032ccee7d8076430f44fe20ba773c064e57d1b3cd07096438989b68c8814be3f375a450202f7eca949d441474e91ccddbb37e17e690e22aac7353c025
SSDEEP

768:gdhO/poiiUcjlJInqbqmH9Xqk5nWEZ5SbTDa60WI7CPW59:Sw+jjgnIH9XqcnW85SbTx0WIl

Score

10^/10

xenorat

Malware Config

Extracted

Family

xenorat

C2

2.tcp.eu.ngrok.io

Mutex

xeno-rat

Attributes

delay
100
install_path
appdata
port
19034
startup_name
tapware

Signatures

Xenorat family
xenorat
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

valochesse.exe

Files

valochesse.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ