xenorat | rrrrrrrrr[.]exe | Triage

Sharing

General

Target

rrrrrrrrr.exe
Size

45KB
MD5

ccf13eb6f6f64cd29d255130bb3117cc
SHA1

684aa3eaf70d4bad183847c7a4d20f64ef9a19f7
SHA256

8973493f5780a045804e043f61bd6d09ee3f6a9ffbbdd884561363d45b991aa5
SHA512

f53e39fbe0f810c4372bcd164a1ca1d9ac3f1722272d3d3af2fa1931c4d1cf1d2d6323c4158c33a7e823dbf0260339925384752f208ced4d75a2dbb29393f869
SSDEEP

768:hdhO/poiiUcjlJIns0H9Xqk5nWEZ5SbTDakuI7CPW5P:fw+jjgn1H9XqcnW85SbTRuIH

Score

10^/10

xenorat

Malware Config

Extracted

Family

xenorat

C2

192.168.56.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
server 32

Signatures

Xenorat family
xenorat
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

rrrrrrrrr.exe

Files

rrrrrrrrr.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 43KB - Virtual size: 42KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ