xenorat | 66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223

General

Target

66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe
Size

955KB
MD5

94f798a6cc5738e8924c9c0b3d2abb1e
SHA1

5714cb7b382dab9977c99c94294561bc42d3166e
SHA256

66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223
SHA512

7b301bddf5d8a3602805754dc995bb4ee88c957b1029e3a17a0ed10d85cc60b1c603a8953a521cae283c39e2ecf69e1253db92cc89dacd46a45d2c72837ce0e4
SSDEEP

24576:duDXTIGaPhEYzUzA0qxUAUBqG8DCRG7F9V5:ADjlabwz9M7WRG59V5

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

23.243.100.240

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
Windows Security

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Executes dropped EXE 3 IoCs

Processes:

InternalLoader2.exeRuntime Broker.exeRuntime Broker.exe

pid process

2396 InternalLoader2.exe
2940 Runtime Broker.exe
2592 Runtime Broker.exe
Loads dropped DLL 3 IoCs

Processes:

66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exeRuntime Broker.exe

pid process

2104 66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe
2628
2940 Runtime Broker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1836 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2776 timeout.exe

pid	process
2396	InternalLoader2.exe
2940	Runtime Broker.exe
2592	Runtime Broker.exe

pid	process
2104	66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe
2628
2940	Runtime Broker.exe

pid	process
1836	schtasks.exe

pid	process
2776	timeout.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exeInternalLoader2.execmd.execmd.execmd.exeRuntime Broker.exeRuntime Broker.exe

description	pid	process	target process
PID 2104 wrote to memory of 2396	2104	66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe	InternalLoader2.exe
PID 2104 wrote to memory of 2396	2104	66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe	InternalLoader2.exe
PID 2104 wrote to memory of 2396	2104	66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe	InternalLoader2.exe
PID 2396 wrote to memory of 2732	2396	InternalLoader2.exe	cmd.exe
PID 2396 wrote to memory of 2732	2396	InternalLoader2.exe	cmd.exe
PID 2396 wrote to memory of 2732	2396	InternalLoader2.exe	cmd.exe
PID 2732 wrote to memory of 2736	2732	cmd.exe	certutil.exe
PID 2732 wrote to memory of 2736	2732	cmd.exe	certutil.exe
PID 2732 wrote to memory of 2736	2732	cmd.exe	certutil.exe
PID 2732 wrote to memory of 2764	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 2764	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 2764	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 2760	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 2760	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 2760	2732	cmd.exe	find.exe
PID 2396 wrote to memory of 2644	2396	InternalLoader2.exe	cmd.exe
PID 2396 wrote to memory of 2644	2396	InternalLoader2.exe	cmd.exe
PID 2396 wrote to memory of 2644	2396	InternalLoader2.exe	cmd.exe
PID 2644 wrote to memory of 2404	2644	cmd.exe	cmd.exe
PID 2644 wrote to memory of 2404	2644	cmd.exe	cmd.exe
PID 2644 wrote to memory of 2404	2644	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2524	2396	InternalLoader2.exe	WerFault.exe
PID 2396 wrote to memory of 2524	2396	InternalLoader2.exe	WerFault.exe
PID 2396 wrote to memory of 2524	2396	InternalLoader2.exe	WerFault.exe
PID 2404 wrote to memory of 2776	2404	cmd.exe	timeout.exe
PID 2404 wrote to memory of 2776	2404	cmd.exe	timeout.exe
PID 2404 wrote to memory of 2776	2404	cmd.exe	timeout.exe
PID 2104 wrote to memory of 2940	2104	66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe	Runtime Broker.exe
PID 2104 wrote to memory of 2940	2104	66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe	Runtime Broker.exe
PID 2104 wrote to memory of 2940	2104	66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe	Runtime Broker.exe
PID 2104 wrote to memory of 2940	2104	66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe	Runtime Broker.exe
PID 2940 wrote to memory of 2592	2940	Runtime Broker.exe	Runtime Broker.exe
PID 2940 wrote to memory of 2592	2940	Runtime Broker.exe	Runtime Broker.exe
PID 2940 wrote to memory of 2592	2940	Runtime Broker.exe	Runtime Broker.exe
PID 2940 wrote to memory of 2592	2940	Runtime Broker.exe	Runtime Broker.exe
PID 2592 wrote to memory of 1836	2592	Runtime Broker.exe	schtasks.exe
PID 2592 wrote to memory of 1836	2592	Runtime Broker.exe	schtasks.exe
PID 2592 wrote to memory of 1836	2592	Runtime Broker.exe	schtasks.exe
PID 2592 wrote to memory of 1836	2592	Runtime Broker.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe
"C:\Users\Admin\AppData\Local\Temp\66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
3⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5
4⤵
PID:2736

C:\Windows\system32\find.exe
find /i /v "md5"
4⤵
PID:2764

C:\Windows\system32\find.exe
find /i /v "certutil"
4⤵
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
3⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\system32\cmd.exe
cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
4⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\system32\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:2776

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2396 -s 296
3⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Runtime Broker.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Roaming\XenoManager\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\Runtime Broker.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Security" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C91.tmp" /F
4⤵
- Creates scheduled task(s)
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Runtime Broker.exe
Filesize
45KB

MD5
888405f1ed21b89ac08343458251bf26

SHA1
4c9b54da2336376441af26ed4bedcd6fda1b316f

SHA256
a8b6f84c5a83b221cb27203a565852745db0010e793aedfe2e98db4cd7f10859

SHA512
4280eddeaba17692a542ab11e1ad92cde5aedd0857990bea01dbd967334801318fd5c31519e58af021ff07c7cf37c2cea6c99502d7f7c1b26852cfb935e3a2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C91.tmp
Filesize
1KB

MD5
5b219b4101d84f08808354aca4b544bc

SHA1
f067faceacdefb5d1062fac1400c288aca4b36d7

SHA256
7072f7d22c1809a4f13ab22b1b2eacebf3f7333f668810e4bad2e3c22d2b9836

SHA512
67be44450193b5a10529b668e5dc3a35647bf85bb6cadbb2e9a45271d808f24ef0e8dc55103a50b1a82edc71f3c3371de50ac81220366a8188cca21a6587c8cd

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe
Filesize
588KB

MD5
2582a8dfdf77e54747a2e84a27377131

SHA1
87a91b5cd34f2ed215a0092997ce2989a333b920

SHA256
38ea6534608e1496b285dadaa545a968c2b128111fc3841ba84f162f1a3f8e20

SHA512
f6193e490b95ef0ac3e2c66c2e83d8f582d4d86c4360b117a7ed11079a612ef62c2408968b96d3a55453cc0ac01b48773377ca090855650c368210235883ba3c

Download Submit
memory/2592-29-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

Filesize
72KB

Download
memory/2940-21-0x0000000000030000-0x0000000000042000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads