xenorat | 8973493f5780a045804e043f61bd6d09ee3f6a9ffbbdd884561363d45b991aa5

Analysis

max time kernel
132s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
18-05-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rrrrrrrrr.exe
Size

45KB
MD5

ccf13eb6f6f64cd29d255130bb3117cc
SHA1

684aa3eaf70d4bad183847c7a4d20f64ef9a19f7
SHA256

8973493f5780a045804e043f61bd6d09ee3f6a9ffbbdd884561363d45b991aa5
SHA512

f53e39fbe0f810c4372bcd164a1ca1d9ac3f1722272d3d3af2fa1931c4d1cf1d2d6323c4158c33a7e823dbf0260339925384752f208ced4d75a2dbb29393f869
SSDEEP

768:hdhO/poiiUcjlJIns0H9Xqk5nWEZ5SbTDakuI7CPW5P:fw+jjgn1H9XqcnW85SbTRuIH

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

192.168.56.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
server 32

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1512 schtasks.exe

pid	process
1512	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rrrrrrrrr.exe

description	pid	process	target process
PID 1552 wrote to memory of 1512	1552	rrrrrrrrr.exe	schtasks.exe
PID 1552 wrote to memory of 1512	1552	rrrrrrrrr.exe	schtasks.exe
PID 1552 wrote to memory of 1512	1552	rrrrrrrrr.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\rrrrrrrrr.exe
"C:\Users\Admin\AppData\Local\Temp\rrrrrrrrr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "server 32" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AEA.tmp" /F
2⤵
- Creates scheduled task(s)
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8AEA.tmp
Filesize
1KB

MD5
9b8bbef0ed1e69deb8c1a9c0e769a0df

SHA1
c853dc73cbf696c9086bacbd1a369788fce28a6c

SHA256
d1425b08975c3329162ee6a953f66c110d05c547aaab1c5f600ec78fe2af5013

SHA512
d8d106da40fef02cb44a513897c04f0e01ab23eadade8f905d2600d0ecb39cf02ea75a2dcadb63680ba9200161b855476ae6b837c494c9abb0b16348bd1c235c

Download Submit
memory/1552-0-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/1552-1-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/1552-2-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/1552-5-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/1552-6-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download