Malware Analysis Report

2024-08-06 18:22

Sample ID 240529-sq6mjaad2t
Target BE_Forcer.exe
SHA256 a8b6f84c5a83b221cb27203a565852745db0010e793aedfe2e98db4cd7f10859
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8b6f84c5a83b221cb27203a565852745db0010e793aedfe2e98db4cd7f10859

Threat Level: Known bad

The file BE_Forcer.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

Xenorat family

XenorRat

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-29 15:20

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 15:20

Reported

2024-05-29 15:26

Platform

win10v2004-20240508-en

Max time kernel

101s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4952 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe
PID 4952 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe
PID 4952 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe
PID 4156 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4156 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe C:\Windows\SysWOW64\schtasks.exe
PID 4156 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe

"C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Windows Security" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A93.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 23.243.100.240:4444 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 23.243.100.240:4444 tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 23.243.100.240:4444 tcp
US 8.8.8.8:53 137.126.19.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4952-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

memory/4952-1-0x0000000000F00000-0x0000000000F12000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe

MD5 888405f1ed21b89ac08343458251bf26
SHA1 4c9b54da2336376441af26ed4bedcd6fda1b316f
SHA256 a8b6f84c5a83b221cb27203a565852745db0010e793aedfe2e98db4cd7f10859
SHA512 4280eddeaba17692a542ab11e1ad92cde5aedd0857990bea01dbd967334801318fd5c31519e58af021ff07c7cf37c2cea6c99502d7f7c1b26852cfb935e3a2a1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BE_Forcer.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/4156-15-0x0000000074B40000-0x00000000752F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5A93.tmp

MD5 8941d5c60cb56d632eb823a0394c0851
SHA1 ca1b1d484dc8f932533d5e6b780e0eaab1659353
SHA256 b871a28e8efbe36968894cd4bbd85d4ade83ef6b738181d30f8eabac4598ed82
SHA512 f0651c882f5605054099c3fe26c6c5a9ffeba64aa2844c22297090ace54b7408992088517833e2ff6f4ffa02fc730a13dd6f377e507749f3607a323fdb175a5f

memory/4156-18-0x0000000074B40000-0x00000000752F0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 15:20

Reported

2024-05-29 15:26

Platform

win7-20240215-en

Max time kernel

132s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2832 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe
PID 2832 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe
PID 2832 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe
PID 2832 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe
PID 1336 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1336 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1336 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe C:\Windows\SysWOW64\schtasks.exe
PID 1336 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe

"C:\Users\Admin\AppData\Local\Temp\BE_Forcer.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Windows Security" /XML "C:\Users\Admin\AppData\Local\Temp\tmp25D8.tmp" /F

Network

Country Destination Domain Proto
US 23.243.100.240:4444 tcp
US 23.243.100.240:4444 tcp
US 23.243.100.240:4444 tcp
US 23.243.100.240:4444 tcp
US 23.243.100.240:4444 tcp

Files

memory/2832-0-0x00000000742CE000-0x00000000742CF000-memory.dmp

memory/2832-1-0x0000000000820000-0x0000000000832000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\BE_Forcer.exe

MD5 888405f1ed21b89ac08343458251bf26
SHA1 4c9b54da2336376441af26ed4bedcd6fda1b316f
SHA256 a8b6f84c5a83b221cb27203a565852745db0010e793aedfe2e98db4cd7f10859
SHA512 4280eddeaba17692a542ab11e1ad92cde5aedd0857990bea01dbd967334801318fd5c31519e58af021ff07c7cf37c2cea6c99502d7f7c1b26852cfb935e3a2a1

memory/1336-9-0x0000000000A40000-0x0000000000A52000-memory.dmp

memory/1336-10-0x00000000742C0000-0x00000000749AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp25D8.tmp

MD5 8941d5c60cb56d632eb823a0394c0851
SHA1 ca1b1d484dc8f932533d5e6b780e0eaab1659353
SHA256 b871a28e8efbe36968894cd4bbd85d4ade83ef6b738181d30f8eabac4598ed82
SHA512 f0651c882f5605054099c3fe26c6c5a9ffeba64aa2844c22297090ace54b7408992088517833e2ff6f4ffa02fc730a13dd6f377e507749f3607a323fdb175a5f

memory/1336-13-0x00000000742C0000-0x00000000749AE000-memory.dmp

memory/1336-14-0x00000000742C0000-0x00000000749AE000-memory.dmp

memory/1336-15-0x00000000742C0000-0x00000000749AE000-memory.dmp