xenorat | 295a87700cdc0f4e493fbf4be933bd390a5dc0b0ee7ef50f78715b946a505579

Analysis

max time kernel
140s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
31-05-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eulenbet.exe
Size

181KB
MD5

c4041e19c6b52778b1885e109e15127b
SHA1

adf0226f2014540fa230e7c24afca0732fbb02ec
SHA256

295a87700cdc0f4e493fbf4be933bd390a5dc0b0ee7ef50f78715b946a505579
SHA512

50f4e5fc0a3b2331edb4da18d9f5d5c9249c63912311b7d4d5808df0d473fb0c4f0ad0be148abfd97e01f647e28b8c49efa555dd58d206f778030e1c62996dd3
SSDEEP

1536:bxw+jjgnCH9XqcnW85SbTeWI30n+iQpXIJUuzDSZeit22i8PwQBVD39M0h:bxw+jq891UbTe64uzDSEG2dCBVDtMu

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

character-acquisitions.gl.at.ply.gg

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
36301
startup_name
explorers

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Executes dropped EXE 1 IoCs

Processes:

eulenbet.exe

pid process

3800 eulenbet.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3592 schtasks.exe

pid	process
3800	eulenbet.exe

pid	process
3592	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

eulenbet.exeeulenbet.exe

description	pid	process	target process
PID 1100 wrote to memory of 3800	1100	eulenbet.exe	eulenbet.exe
PID 1100 wrote to memory of 3800	1100	eulenbet.exe	eulenbet.exe
PID 1100 wrote to memory of 3800	1100	eulenbet.exe	eulenbet.exe
PID 3800 wrote to memory of 3592	3800	eulenbet.exe	schtasks.exe
PID 3800 wrote to memory of 3592	3800	eulenbet.exe	schtasks.exe
PID 3800 wrote to memory of 3592	3800	eulenbet.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\eulenbet.exe
"C:\Users\Admin\AppData\Local\Temp\eulenbet.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "explorers" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A57.tmp" /F
3⤵
- Creates scheduled task(s)
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eulenbet.exe.log
Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4A57.tmp
Filesize
1KB

MD5
3618f28ee957a02e89e0be1104d5d01d

SHA1
8ea06e12aa8a3c65b95212ad7151e7aeb40c9739

SHA256
a5fb1c2c6ea908ef5cca979748c475f1fab629fda0095d31db5e2a74e2514647

SHA512
aaaf76febed10e0a8ee00e9c941f09d519fb97056c5f903a71d0d652b1435ea55c746ab7eaedb21433d759fae2638aa96c69e472dff5cb0d82351a306600f5ac

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe
Filesize
181KB

MD5
c4041e19c6b52778b1885e109e15127b

SHA1
adf0226f2014540fa230e7c24afca0732fbb02ec

SHA256
295a87700cdc0f4e493fbf4be933bd390a5dc0b0ee7ef50f78715b946a505579

SHA512
50f4e5fc0a3b2331edb4da18d9f5d5c9249c63912311b7d4d5808df0d473fb0c4f0ad0be148abfd97e01f647e28b8c49efa555dd58d206f778030e1c62996dd3

Download Submit
memory/1100-0-0x000000007460E000-0x000000007460F000-memory.dmp

Filesize
4KB

Download
memory/1100-1-0x0000000000E60000-0x0000000000E94000-memory.dmp

Filesize
208KB

Download
memory/3800-15-0x0000000074600000-0x0000000074DB1000-memory.dmp

Filesize
7.7MB

Download
memory/3800-18-0x0000000074600000-0x0000000074DB1000-memory.dmp

Filesize
7.7MB

Download