General

  • Target

    23909b22079b8d7a53e9a3e7940cbc4626ba74f19382973e1b3dafbade7243ea.zip

  • Size

    209KB

  • Sample

    240516-bh5ltsdd2x

  • MD5

    4a797e6558479267a68168a84353471d

  • SHA1

    17ec991d7f0bcecf0005f8c4049617a7b72b469b

  • SHA256

    23909b22079b8d7a53e9a3e7940cbc4626ba74f19382973e1b3dafbade7243ea

  • SHA512

    fa3864fc78e8b63f85fe415dc2c33748486df34c31a94a7d31063bc9839ee9608f593302b3dc0030ab1ba97c51830fb7f74c281af310330f2e10ccd6f9fd29ee

  • SSDEEP

    3072:FLY3zta+9GTSkEHV3EdRvHm4jIOLLSByuqaxFZjR55aYSvYPd9O50TXqGIy/kgfu:RszVkEHVMRfmNOSdqaVv5nd9OEIyMUu

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes
  • delay

    61000

  • install_path

    appdata

  • port

    1283

  • startup_name

    bns

Targets

    • Target

      Dekont-Mayis.exe

    • Size

      242KB

    • MD5

      f36fa3a72893c4151b136426119ad589

    • SHA1

      2f83d91056d831a40182c743c36fab2622be8906

    • SHA256

      3f2490dd9d05980a4b02f6b5e6e9c18f349cc4192a4733374318c20bc7f0a885

    • SHA512

      fa51532d7257fb7e71a2f5f9091350086c1772dc5458b572674071c25288b80b205bf17db271e58e11e45d930f4c1745938e45068125bf92b29fd8ca3e6859ff

    • SSDEEP

      6144:hcBzA6kEHVMRfmlOSdqadv5fdvW5S7w1ofkPAyDEqClNdzI:SBTkEHS8dqidvL7/cPAyDEqClN6

    Score
    10/10
    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Detects executables packed with ConfuserEx Mod

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks