xenorat | 8ff9cd217cac6f44e24e5de2049f4289d05286dfbf32566b70c0744dbdd6d381 | Triage

Sharing

General

Target

sa.exe
Size

310KB
Sample

240526-qaesrsfg28
MD5

64a3cb4713a64a85a07a28878c50fb55
SHA1

5a8fdb5b2e5338db3b2b81949b30ca0edc483d4e
SHA256

8ff9cd217cac6f44e24e5de2049f4289d05286dfbf32566b70c0744dbdd6d381
SHA512

46aa9ba21ed7afb453ea474731f7fbe8b68848b97887746d95a8df2eb4dcd469febc6e566c099cc18b080added707964c771479c5c6130ef404e5d13ce72bc0a
SSDEEP

6144:aW+91UbIeC+5r6PmRIoS5P7xVEDc7SuDSSwb:a7eCB9V5b

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

192.168.56.1

Mutex

Growtopia_4232

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
growtopia

Targets

- Target
  
  sa.exe
- Size
  
  310KB
- MD5
  
  64a3cb4713a64a85a07a28878c50fb55
- SHA1
  
  5a8fdb5b2e5338db3b2b81949b30ca0edc483d4e
- SHA256
  
  8ff9cd217cac6f44e24e5de2049f4289d05286dfbf32566b70c0744dbdd6d381
- SHA512
  
  46aa9ba21ed7afb453ea474731f7fbe8b68848b97887746d95a8df2eb4dcd469febc6e566c099cc18b080added707964c771479c5c6130ef404e5d13ce72bc0a
- SSDEEP
  
  6144:aW+91UbIeC+5r6PmRIoS5P7xVEDc7SuDSSwb:a7eCB9V5b
Score

10^/10

xenorat rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xenoratrattrojan

behavioral2

xenoratrattrojan