Overview

overview

10

Static

static

10

eulenbet.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    146s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31-05-2024 22:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eulenbet.exe

  • Size

    181KB

  • MD5

    c4041e19c6b52778b1885e109e15127b

  • SHA1

    adf0226f2014540fa230e7c24afca0732fbb02ec

  • SHA256

    295a87700cdc0f4e493fbf4be933bd390a5dc0b0ee7ef50f78715b946a505579

  • SHA512

    50f4e5fc0a3b2331edb4da18d9f5d5c9249c63912311b7d4d5808df0d473fb0c4f0ad0be148abfd97e01f647e28b8c49efa555dd58d206f778030e1c62996dd3

  • SSDEEP

    1536:bxw+jjgnCH9XqcnW85SbTeWI30n+iQpXIJUuzDSZeit22i8PwQBVD39M0h:bxw+jq891UbTe64uzDSEG2dCBVDtMu

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

character-acquisitions.gl.at.ply.gg

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    36301

  • startup_name

    explorers

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eulenbet.exe
    "C:\Users\Admin\AppData\Local\Temp\eulenbet.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "explorers" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A57.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:3592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eulenbet.exe.log
    Filesize

    226B

    MD5

    1294de804ea5400409324a82fdc7ec59

    SHA1

    9a39506bc6cadf99c1f2129265b610c69d1518f7

    SHA256

    494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

    SHA512

    033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp4A57.tmp
    Filesize

    1KB

    MD5

    3618f28ee957a02e89e0be1104d5d01d

    SHA1

    8ea06e12aa8a3c65b95212ad7151e7aeb40c9739

    SHA256

    a5fb1c2c6ea908ef5cca979748c475f1fab629fda0095d31db5e2a74e2514647

    SHA512

    aaaf76febed10e0a8ee00e9c941f09d519fb97056c5f903a71d0d652b1435ea55c746ab7eaedb21433d759fae2638aa96c69e472dff5cb0d82351a306600f5ac

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe
    Filesize

    181KB

    MD5

    c4041e19c6b52778b1885e109e15127b

    SHA1

    adf0226f2014540fa230e7c24afca0732fbb02ec

    SHA256

    295a87700cdc0f4e493fbf4be933bd390a5dc0b0ee7ef50f78715b946a505579

    SHA512

    50f4e5fc0a3b2331edb4da18d9f5d5c9249c63912311b7d4d5808df0d473fb0c4f0ad0be148abfd97e01f647e28b8c49efa555dd58d206f778030e1c62996dd3

    Download Submit

  • memory/1100-0-0x000000007460E000-0x000000007460F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1100-1-0x0000000000E60000-0x0000000000E94000-memory.dmp

    Filesize

    208KB

    Download

  • memory/3800-15-0x0000000074600000-0x0000000074DB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3800-18-0x0000000074600000-0x0000000074DB1000-memory.dmp

    Filesize

    7.7MB

    Download