xenorat | 53bb0c771cfaaf16a7409a8b921c9e7e1595d281d94f5e7ad54454b3b5ac1602

Analysis

max time kernel
30s
max time network
16s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unlocked-gen.exe
Size

45KB
MD5

d2db2b350e07ac3555b415ad0ef7273e
SHA1

eb95cf23d1cd315d99d64ba61d1cc2f5f7bd76a6
SHA256

53bb0c771cfaaf16a7409a8b921c9e7e1595d281d94f5e7ad54454b3b5ac1602
SHA512

85778d717fc5315d5cd8898836d73fd735d9be2bbb409fa1ae5be3b79097664378779d2a4db3c1895fd2cadf01d3cdbc465e4f8a6186aac969acceeaa591458e
SSDEEP

768:hdhO/poiiUcjlJInXtUH9Xqk5nWEZ5SbTDaQWI7CPW5k:fw+jjgn9UH9XqcnW85SbTxWI8

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
3000
install_path
temp
port
3389
startup_name
system

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Executes dropped EXE 1 IoCs

Processes:

unlocked-gen.exe

pid process

2004 unlocked-gen.exe
Loads dropped DLL 1 IoCs

Processes:

unlocked-gen.exe

pid process

1916 unlocked-gen.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2704 schtasks.exe

pid	process
2004	unlocked-gen.exe

pid	process
1916	unlocked-gen.exe

pid	process
2704	schtasks.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

unlocked-gen.exeunlocked-gen.exe

description	pid	process	target process
PID 1916 wrote to memory of 2004	1916	unlocked-gen.exe	unlocked-gen.exe
PID 1916 wrote to memory of 2004	1916	unlocked-gen.exe	unlocked-gen.exe
PID 1916 wrote to memory of 2004	1916	unlocked-gen.exe	unlocked-gen.exe
PID 1916 wrote to memory of 2004	1916	unlocked-gen.exe	unlocked-gen.exe
PID 1916 wrote to memory of 2004	1916	unlocked-gen.exe	unlocked-gen.exe
PID 1916 wrote to memory of 2004	1916	unlocked-gen.exe	unlocked-gen.exe
PID 1916 wrote to memory of 2004	1916	unlocked-gen.exe	unlocked-gen.exe
PID 2004 wrote to memory of 2704	2004	unlocked-gen.exe	schtasks.exe
PID 2004 wrote to memory of 2704	2004	unlocked-gen.exe	schtasks.exe
PID 2004 wrote to memory of 2704	2004	unlocked-gen.exe	schtasks.exe
PID 2004 wrote to memory of 2704	2004	unlocked-gen.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe
"C:\Users\Admin\AppData\Local\Temp\unlocked-gen.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "system" /XML "C:\Users\Admin\AppData\Local\Temp\tmp22BD.tmp" /F
3⤵
- Creates scheduled task(s)
PID:2704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp22BD.tmp
Filesize
1KB

MD5
4a7f735c43ed6520667cbf4ea31bf1e0

SHA1
e1298140c59752771836110a96723504d6f909da

SHA256
461f970c7b7b9bae825eb3841df8f7d4229b307ee6215ae3fe41c96fa42aad4a

SHA512
cdc9566c4beff1e09784a6d46a081598af3f66225966c14d4179d350cbff9f0493e8f40034890aa169ec438a2b6f984877341bc55e819d95c608e1317fd54509

Download Submit
C:\Users\Admin\Desktop\AssertExpand.css
Filesize
331KB

MD5
05fdb7e316c3d36d044a68e6f805b2db

SHA1
2e457886e4ec415cfcf801961e920942a9e1cd22

SHA256
e6add74da8984037bca74287d78588c3b3c6cd49d359fa62fa8982754cade9c0

SHA512
74294f5d2f85d564d44176494700692ccc338a001b6b8b6767f0e4d51aee1528e6cdfbb338525b034dd9b7f99b8958ab464512a376309bd6417f42fa5c3c7e7d

Download Submit
C:\Users\Admin\Desktop\ClearCheckpoint.cr2
Filesize
264KB

MD5
d9addc1f86e2a0d927a2597a23449dd2

SHA1
5cc0d18095eed46e2fe53d9f04f570f62d011d14

SHA256
87689a2ee486f3ffe23420ff720d492dd088ece7ba55e87dc1895a43b765bc0f

SHA512
d10dc555862461cc425e47427f0d6813aebc9f1c548efd393f2957799f79a27533504b8a52c8f9e83f8a4021f8a0fdf6ef7e708dcd4dbf3c161cde612c10f4cd

Download Submit
C:\Users\Admin\Desktop\ClearRestore.mpeg3
Filesize
230KB

MD5
1641d4e2fb9ce62d0b7c28c66e323d83

SHA1
911a7521031b50648970d3f9b47cd34b0756f806

SHA256
00e5db99413c6050b7f0f9e94c67caad18fa45a72f07f4ff5d6a2715f81057d3

SHA512
99b0f2a51f27e9f6f457a130cb818f88c2408bc05ffd3d806329d8f5f717ea0650f1538a38c6abbd57dc5e12815992b68985087958052008d2991acc6b7551da

Download Submit
C:\Users\Admin\Desktop\CloseMeasure.ADT
Filesize
275KB

MD5
c7a7919fcc21be9b7c4ff5ab462cb1c0

SHA1
2d84dee6f5c12e72038967f17464b8112da2ba62

SHA256
03494f486473acfe59d3e2bee9d6ea86ad7b2f58cee4e55a241dd7bb7f9ba3ce

SHA512
fd932f807f0587fc2d1a3e180ee74b0dfbefd8cd4fcb6b9f54d579da24cd7fc78521204ea638447c32e0b191be53e4a7676480d04b1c43ed31f72888d352a37c

Download Submit
C:\Users\Admin\Desktop\CompleteFormat.mid
Filesize
241KB

MD5
8211d4486b488b69c971862da658d161

SHA1
a3990523821b7b94a53ce733ace7f3aa17195fb2

SHA256
51cf40fc586ad999a5f21933d58713c89252335cb8dc75b7fd6b21179c62e3ac

SHA512
63532d222a0adcbe5dae1d21ea4f55c6a8aa09e6964fad115066ff20274c965b07a48a120b5d0d7da20198b87474e830240f8d096d1a886201c44172565270f7

Download Submit
C:\Users\Admin\Desktop\ExitGrant.svgz
Filesize
185KB

MD5
9111f5c550343e96d03ddf40f587c612

SHA1
bef3856bb6e2372b25723afb2864b333dc4be268

SHA256
a352aa2a6c75fe01c422c259dc03d6e40ddaeae9b5dccf0d2fdcf31168a85e38

SHA512
c689095c4e3fc0ecb4f5e4fa68ee6a678aad5c57a82c789bdc5e478acc06971fd4e4dc72d2f0d191f47aaa6412c18275188b270f885a2228f1c6c4f3612a2741

Download Submit
C:\Users\Admin\Desktop\FindRepair.vsdm
Filesize
151KB

MD5
189fd99bc8402720319260754b91e540

SHA1
96f94b10da81682a5f8de8eca94e4dbd6a7bac37

SHA256
762774e1b73c18b2ad693e5baa41310d00cc1c24166717c46f52bd8879fbee9e

SHA512
7295ce5de66ddf220513fc0653bcee16a0b82b840253ca79f2d8fee3acf9363b9e2e255ea5b7019e3d3f39e9d5b8f1684eeaa3674b18825dfc2e8d83c4f0c3b0

Download Submit
C:\Users\Admin\Desktop\HideClose.cr2
Filesize
320KB

MD5
7b417b3b9b1c283928b0fb6536ced890

SHA1
c3a68d71b525c061b9937a5f1b2442843b1976ee

SHA256
ee72ec549a3149a62e016fe89661d5ad4a626159dd51d3af7a30bae4902e352f

SHA512
d64c9b587aabdb12ed6ccd94493afa4cb339f877cfbb5a20a401f8127c156f0187aaa1c15a8269a6c0b5b6179a9b3b790d549a4d623efc36fc98d946eb7fa756

Download Submit
C:\Users\Admin\Desktop\InitializeAssert.pps
Filesize
353KB

MD5
1065057870e6cef681a428513523fe82

SHA1
7a2f3a8d5fb7bf9c51fbb5340501eedfec2d603f

SHA256
37832d7e399d267fe13ddef13539126daa5a54c486c95d1fdd1b7e04807d7fb7

SHA512
f1903a650cd6ec9f8d8441805ebfa5afea12bcc6a7c9ddde447c79873e433f63a5d8b4936b23b7ab4495135ee52bba47a13dfe2d692226d83e68f837d6f26532

Download Submit
C:\Users\Admin\Desktop\InitializeResolve.mhtml
Filesize
162KB

MD5
f8b516dcc4642fdc16229f45a3306eee

SHA1
1fe1040ccdbdda2cc8f6555a8e35b92a4fa2e392

SHA256
244320f3e9e9564f5aa9b67acc0081d59f48829b9250f420961823a99814320c

SHA512
28c77406eaacddd3083fa080478182acab1e556005f922197bdc458f0a6a7aae84ace03853aea817733ef1ba2a6cd6cf30f0b17900f088a470b572fba881170f

Download Submit
C:\Users\Admin\Desktop\ProtectOpen.jpeg
Filesize
309KB

MD5
6975246dd3fd970899ca215c62af8aa0

SHA1
70da4a5c3ac52eb6625506f538bd45f56b0021d6

SHA256
e2c05c70a12a65c7f6477a00f4478442abf7ebee075112615361d9d402ac2baf

SHA512
52485601a88acf419bc01b1dc2a0f1e683b4a9a559347c97cea657ea8dc273f3d8e0de1d5d2c30f966c8a2393c2a2a8d6cf2b1ef4f1644d43c992f5c57d0ae9d

Download Submit
C:\Users\Admin\Desktop\ReceiveExpand.avi
Filesize
252KB

MD5
95e44a30ae62cc40e713aa23f32e4f5c

SHA1
86c1d19914b5e1fe0a3224bb67fb9bc949d12d45

SHA256
c9bb4de80655a0380c4f7fb34418d40d5c40f2da5c5d7368ee3e683fa47f90f1

SHA512
d6ff6f08449689fc3cf56144d422d38f5ba7068315ce752ea932a1c6ff441d1fffa258760b4cdfc53f0500a4c5f6d5f8f42499830e237c33f0dd0789a532ee7e

Download Submit
C:\Users\Admin\Desktop\RemoveSet.mp2v
Filesize
365KB

MD5
a95c1cbf5b8b0957f9064cdcc59d350c

SHA1
88f6b03395f5f4c1a33581c9c4ffa645aa946732

SHA256
5ca173ae626921862bc02c8260c31d7b93b1374ed18b9b47cdbf5225b421f4ba

SHA512
f523b852024f1896244d3f277225eebc7160cf1d35878a8e7aadc2bc8a3ac0923bfa1679cffa57114ba37455bf68380b51f9b6dbf032964f6222bdd5d2c90510

Download Submit
C:\Users\Admin\Desktop\ResetCopy.mpeg
Filesize
342KB

MD5
9c28826d999b0e88327a4899f56aaf4c

SHA1
b1b424d5add3f9011162f2ec718a3313b53b249c

SHA256
c0574b97403682b7df12b9931a1d3999a34dfa41ee269e405e5303c14eaeb7e2

SHA512
6d5af0a169c71091e2a9d4e8a1dd07d52af10153c278b23724f44b6b797cb970d5eea6ee8af8eaae8f408bfc555ed53c6f48b01093e67501585503856ef73511

Download Submit
C:\Users\Admin\Desktop\RevokeHide.vsx
Filesize
174KB

MD5
0e37c162a41581d489cf737fd227f168

SHA1
5d0fb1a307ffcd79c204448cbfd4b8b101df8f7a

SHA256
a1a9b312d586cdb691b6e4b3f40d1e68ced628fbd8938da31ba4dfeebaa81649

SHA512
325ac63ddddeb0369ecd0557a6e578b5e0be2522a273ad57d596f9eb461538d2463793a717e33dfabbdc460b23aec063555d190155dfa5c0a996a13203d33db9

Download Submit
C:\Users\Admin\Desktop\ShowPush.jpg
Filesize
219KB

MD5
89746445bd04d260903bd8ea4e450da8

SHA1
941044e33a3d5873310ac7e9871b5242c8556289

SHA256
a57a231d0b47b4a274e4bc942797411473923b1321aec89a6a6fc158c1df79ba

SHA512
dd7134bbcc1b27ddab3b196d52ea744f4a59f5607cc47197f745bd25394dc0ccaab830c516490ccb19a72b7340c39c9c5ce70096d1135b5dbecf7d5253f9fb51

Download Submit
C:\Users\Admin\Desktop\ShowSync.rle
Filesize
297KB

MD5
60c40bfb2e991c4cd42207847f1f7947

SHA1
5a0455c2ee3ad384a67cfa6decaffe63b89f3eaa

SHA256
8daba58dea65e69ebe7928a6709c8c10a4d88b301a8518c7bf6dca4c27f566f1

SHA512
b050505c49bc65e0f527ee85671c2274d71f99c8c5fce3a565fec7561e6b0fb3ba07c6ba19cdd01c93c6c7acda476b96b14747d3f09f7a117d00aa1cee170e96

Download Submit
C:\Users\Admin\Desktop\StartRemove.mpeg3
Filesize
196KB

MD5
202dfecfcd363480959ec02d07257a40

SHA1
e634fa593fdf1b94d7d65be74a97830a2d4bdd46

SHA256
4f2580610133f50c429ad0c5d56d53bec0a916da2c77ecff9518d7a40cc69631

SHA512
db1b6ea50c4fdcd1668a2a5fab295e8625914e7ebaa034dd3f54518ca2a86890f8f46c962f51609ba3fab0923dbc908de5cf928ef7bf93649589997a9621fbb5

Download Submit
C:\Users\Admin\Desktop\TestUndo.ppt
Filesize
376KB

MD5
c47a3d01f598e3841f79d78658b28b30

SHA1
ff75731d364a94decbcceb17fd928d4995dbd71e

SHA256
b969172512787d7f29e4a066613c7986210f09848692fce3b97114d1a33adf66

SHA512
2a969b04225246a150931da253499eba6337a0e582a7e81e086e065775cf59d0d8c8e1844ad05fa780492e2cde9d7d46a709c76ab8054dc85fd17ccaeb266abd

Download Submit
C:\Users\Admin\Desktop\UnblockRestore.jtx
Filesize
286KB

MD5
f5f0c95bc7d102efee458b687b42b196

SHA1
2dd979dd171696c1b48f4be15ff05761f91f4455

SHA256
97d600ac633b12b1658a3a001beb32ceb64d6a9b8bbfa3a242d4c061b5b1f7fe

SHA512
fe29f070045a67379dcdbfdd8157b8569c4e28ae2b27921b8b89ad29bdb6a4269e3f42b01f00aa1c16872ce0f8c6ee1d9960b687bcce7a2e84c53aeb537c719f

Download Submit
C:\Users\Admin\Desktop\WriteResolve.dib
Filesize
207KB

MD5
00ef1feb514084e6267c8e529e2d4ca6

SHA1
0db43d08cbd98c56e42cacfb85d5eb853f058b68

SHA256
7621ea619850b53999e3a730efbcc4cc18c70cd6a594e152e7ebb945c4be5e1a

SHA512
089b908aa472acec4974f3c15a03fea9275ab25fa3d24536909096d25f2a55c76af0a523cd372e9f890e622f80d35626169dd458a57101c3d63edcd5e0a42679

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk
Filesize
1KB

MD5
2154e7052eb4314cede64ad60c596a04

SHA1
18fc274e3851caf259d61d7a794bbed5999f93b0

SHA256
932d173dd568d37aa9b324a5ccaa300b3135a0f47398ce93f48f41cdd1c7b833

SHA512
85b4fb3433acaaa76edc9af8e6a2cd7e5bf90b9f29ebedced1c44d3415fa3117448a820f2d53b9c34d2310ed5d08c9e9e556763db9356bb17aa24514556a9db1

Download Submit
C:\Users\Public\Desktop\Firefox.lnk
Filesize
931B

MD5
e7b67d9f038814dc05038c080813d062

SHA1
63941644de7e0647db76bc52803d67e7834cf553

SHA256
91cf63659cfd851cfca2cb201d697753aa36560063793cea70792c6eb871849b

SHA512
2f7c667a0c20cc3a43e40e707aca35f97e2fa2d843978e00652014888698bed6bdb739b2d0c2804234abfe75fca9a1f9e4498da0b339b979457f0e6063fc90d0

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
826aba2260a3c6c9bc25c0dfe165d2a6

SHA1
97b10d41f3dc81a69d4ba6c13ece6a13343c9e28

SHA256
55a664638a13ed86f4983ab3cdffe3ca64f3dd51db8c3d1f34af7048f11ebc33

SHA512
d8da39eed87b10e21040c8e51052d811b66e19c221f950a458a54bcc31b6553904357c2c20bc25e16224056087906e8b6500c95b32b9bd6f5c7189c7fd47efc1

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk
Filesize
878B

MD5
208eaaaa5fb5269bda3347a820b7b973

SHA1
f9ce85269570ee22d77fce2b69b90a50dec0a143

SHA256
bb7c897575d45255208e1912a3764a553af5add012630569477cfed88509ca92

SHA512
b67fce2839350a3a3c5e3ab78818400a33b68076112024fdda671ebe52253c141c1f6c684b2df722b45b1c648093898f204df3aad490a32c23a315e1536877c2

Download Submit
\Users\Admin\AppData\Local\Temp\XenoManager\unlocked-gen.exe
Filesize
45KB

MD5
d2db2b350e07ac3555b415ad0ef7273e

SHA1
eb95cf23d1cd315d99d64ba61d1cc2f5f7bd76a6

SHA256
53bb0c771cfaaf16a7409a8b921c9e7e1595d281d94f5e7ad54454b3b5ac1602

SHA512
85778d717fc5315d5cd8898836d73fd735d9be2bbb409fa1ae5be3b79097664378779d2a4db3c1895fd2cadf01d3cdbc465e4f8a6186aac969acceeaa591458e

Download Submit
memory/1916-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/1916-1-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2004-9-0x00000000008F0000-0x0000000000902000-memory.dmp

Filesize
72KB

Download
memory/2004-10-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2004-13-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2004-15-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2004-40-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download