Malware Analysis Report

2024-08-06 18:38

Sample ID 240531-2hvpqsgg75
Target eulenbet.exe
SHA256 295a87700cdc0f4e493fbf4be933bd390a5dc0b0ee7ef50f78715b946a505579
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

295a87700cdc0f4e493fbf4be933bd390a5dc0b0ee7ef50f78715b946a505579

Threat Level: Known bad

The file eulenbet.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

Xenorat family

XenorRat

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-31 22:35

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 22:35

Reported

2024-05-31 22:38

Platform

win11-20240426-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eulenbet.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\eulenbet.exe C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe
PID 1100 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\eulenbet.exe C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe
PID 1100 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\eulenbet.exe C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe
PID 3800 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe C:\Windows\SysWOW64\schtasks.exe
PID 3800 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe C:\Windows\SysWOW64\schtasks.exe
PID 3800 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eulenbet.exe

"C:\Users\Admin\AppData\Local\Temp\eulenbet.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "explorers" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A57.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 character-acquisitions.gl.at.ply.gg udp
US 147.185.221.17:36301 character-acquisitions.gl.at.ply.gg tcp
US 147.185.221.17:36301 character-acquisitions.gl.at.ply.gg tcp
US 147.185.221.17:36301 character-acquisitions.gl.at.ply.gg tcp
US 147.185.221.17:36301 character-acquisitions.gl.at.ply.gg tcp
US 147.185.221.17:36301 character-acquisitions.gl.at.ply.gg tcp
US 147.185.221.17:36301 character-acquisitions.gl.at.ply.gg tcp
US 147.185.221.17:36301 character-acquisitions.gl.at.ply.gg tcp
US 147.185.221.17:36301 character-acquisitions.gl.at.ply.gg tcp
US 147.185.221.17:36301 character-acquisitions.gl.at.ply.gg tcp
US 147.185.221.17:36301 character-acquisitions.gl.at.ply.gg tcp

Files

memory/1100-0-0x000000007460E000-0x000000007460F000-memory.dmp

memory/1100-1-0x0000000000E60000-0x0000000000E94000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\eulenbet.exe

MD5 c4041e19c6b52778b1885e109e15127b
SHA1 adf0226f2014540fa230e7c24afca0732fbb02ec
SHA256 295a87700cdc0f4e493fbf4be933bd390a5dc0b0ee7ef50f78715b946a505579
SHA512 50f4e5fc0a3b2331edb4da18d9f5d5c9249c63912311b7d4d5808df0d473fb0c4f0ad0be148abfd97e01f647e28b8c49efa555dd58d206f778030e1c62996dd3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eulenbet.exe.log

MD5 1294de804ea5400409324a82fdc7ec59
SHA1 9a39506bc6cadf99c1f2129265b610c69d1518f7
SHA256 494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0
SHA512 033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

memory/3800-15-0x0000000074600000-0x0000000074DB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4A57.tmp

MD5 3618f28ee957a02e89e0be1104d5d01d
SHA1 8ea06e12aa8a3c65b95212ad7151e7aeb40c9739
SHA256 a5fb1c2c6ea908ef5cca979748c475f1fab629fda0095d31db5e2a74e2514647
SHA512 aaaf76febed10e0a8ee00e9c941f09d519fb97056c5f903a71d0d652b1435ea55c746ab7eaedb21433d759fae2638aa96c69e472dff5cb0d82351a306600f5ac

memory/3800-18-0x0000000074600000-0x0000000074DB1000-memory.dmp