Malware Analysis Report

2024-08-06 18:21

Sample ID 240531-21s9magg7x
Target client.exe
SHA256 b55e1e8555367114aff90727da651e37d8662a2678041b8f50f19fd8a397f984
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b55e1e8555367114aff90727da651e37d8662a2678041b8f50f19fd8a397f984

Threat Level: Known bad

The file client.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Xenorat family

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-31 23:03

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 23:03

Reported

2024-05-31 23:04

Platform

win10-20240404-en

Max time kernel

27s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\client.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\client.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4160 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\client.exe C:\Users\Admin\AppData\Roaming\XenoManager\client.exe
PID 4160 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\client.exe C:\Users\Admin\AppData\Roaming\XenoManager\client.exe
PID 4160 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\client.exe C:\Users\Admin\AppData\Roaming\XenoManager\client.exe
PID 3588 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\XenoManager\client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3588 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\XenoManager\client.exe C:\Windows\SysWOW64\schtasks.exe
PID 3588 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\XenoManager\client.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\client.exe

"C:\Users\Admin\AppData\Local\Temp\client.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\client.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7D2.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 people-weekend.gl.at.ply.gg udp
US 147.185.221.20:5719 people-weekend.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 147.185.221.20:5719 people-weekend.gl.at.ply.gg tcp
US 147.185.221.20:5719 people-weekend.gl.at.ply.gg tcp

Files

memory/4160-0-0x0000000073D6E000-0x0000000073D6F000-memory.dmp

memory/4160-1-0x0000000000510000-0x0000000000522000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\client.exe

MD5 1acd506e251f840ff4aebd32401a68ab
SHA1 38ce2a41d59a1bf0f3332fb867f43794c39577af
SHA256 b55e1e8555367114aff90727da651e37d8662a2678041b8f50f19fd8a397f984
SHA512 26c74ecb9a20848f0b6bf9a1b9b0ccbc67d1b281337d50bafdf93382f1bf4f89f19669e5a278df8ff032092ede9597d0142b8e2718b0e7bbb034c3e78b84c5c4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\client.exe.log

MD5 957779c42144282d8cd83192b8fbc7cf
SHA1 de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA256 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512 f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

memory/3588-10-0x0000000073D60000-0x000000007444E000-memory.dmp

memory/3588-11-0x0000000073D60000-0x000000007444E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD7D2.tmp

MD5 fdd36139980f5cbfef3360123665b96c
SHA1 faf5353ca339065426642578c3913906e892becf
SHA256 ff95b1308fc4294f5d6dcb0c171633387d81b4f2efda617292eb784615b17bed
SHA512 2ab91e7733c16300feda4efa61cc11baf21245f85c4cccd08e92c5fd61cfa03d206ba04939362733ce26385dfd66ab4524cd1a0da2c779a7e0ce9d00b4e5e31b

memory/3588-13-0x0000000073D60000-0x000000007444E000-memory.dmp