General

  • Target

    sa.exe

  • Size

    310KB

  • Sample

    240526-qaesrsfg28

  • MD5

    64a3cb4713a64a85a07a28878c50fb55

  • SHA1

    5a8fdb5b2e5338db3b2b81949b30ca0edc483d4e

  • SHA256

    8ff9cd217cac6f44e24e5de2049f4289d05286dfbf32566b70c0744dbdd6d381

  • SHA512

    46aa9ba21ed7afb453ea474731f7fbe8b68848b97887746d95a8df2eb4dcd469febc6e566c099cc18b080added707964c771479c5c6130ef404e5d13ce72bc0a

  • SSDEEP

    6144:aW+91UbIeC+5r6PmRIoS5P7xVEDc7SuDSSwb:a7eCB9V5b

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

192.168.56.1

Mutex

Growtopia_4232

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    growtopia

Targets

    • Target

      sa.exe

    • Size

      310KB

    • MD5

      64a3cb4713a64a85a07a28878c50fb55

    • SHA1

      5a8fdb5b2e5338db3b2b81949b30ca0edc483d4e

    • SHA256

      8ff9cd217cac6f44e24e5de2049f4289d05286dfbf32566b70c0744dbdd6d381

    • SHA512

      46aa9ba21ed7afb453ea474731f7fbe8b68848b97887746d95a8df2eb4dcd469febc6e566c099cc18b080added707964c771479c5c6130ef404e5d13ce72bc0a

    • SSDEEP

      6144:aW+91UbIeC+5r6PmRIoS5P7xVEDc7SuDSSwb:a7eCB9V5b

    Score
    10/10
    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks