Overview

overview

10

Static

static

3

Pago_trans...ia.exe

windows7-x64

10

Pago_trans...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 07:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pago_transferencia.exe

  • Size

    242KB

  • MD5

    38664a0a401cf3c0fd27e93b4acceee3

  • SHA1

    52d52004dd140bbf60e9abe882c0ee758c38ed58

  • SHA256

    33d31a4576721d116977faf9687fb9832e95999d28209aabaed55a24a3d6f581

  • SHA512

    fba2673d49012caf3e554caa93398bb96c8bd8a93aa51281ec7a5f136b2ebdb99167d0155c4c5e243eb7da81a68d8cbf0ee47900926eaa0164b931d13dfabbf8

  • SSDEEP

    6144:VEopEdkzfA6ON1B6X9T7eKx9EwyZibQ0rlioHd5ZaEb1FWxI:mvdSA6OV6X9lXbmibQ0rliK5ZaEb1FWq

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Jolid_rat_nd8889g

Attributes
  • delay

    61000

  • install_path

    appdata

  • port

    1284

  • startup_name

    hns

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Pago_transferencia.exe
    "C:\Users\Admin\AppData\Local\Temp\Pago_transferencia.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\Pago_transferencia.exe
      C:\Users\Admin\AppData\Local\Temp\Pago_transferencia.exe
      2⤵
        PID:2064
      • C:\Users\Admin\AppData\Local\Temp\Pago_transferencia.exe
        C:\Users\Admin\AppData\Local\Temp\Pago_transferencia.exe
        2⤵
          PID:2856
        • C:\Users\Admin\AppData\Local\Temp\Pago_transferencia.exe
          C:\Users\Admin\AppData\Local\Temp\Pago_transferencia.exe
          2⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2608
          • C:\Users\Admin\AppData\Roaming\XenoManager\Pago_transferencia.exe
            "C:\Users\Admin\AppData\Roaming\XenoManager\Pago_transferencia.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2876
            • C:\Users\Admin\AppData\Roaming\XenoManager\Pago_transferencia.exe
              C:\Users\Admin\AppData\Roaming\XenoManager\Pago_transferencia.exe
              4⤵
              • Executes dropped EXE
              PID:2604
            • C:\Users\Admin\AppData\Roaming\XenoManager\Pago_transferencia.exe
              C:\Users\Admin\AppData\Roaming\XenoManager\Pago_transferencia.exe
              4⤵
              • Executes dropped EXE
              PID:2616
            • C:\Users\Admin\AppData\Roaming\XenoManager\Pago_transferencia.exe
              C:\Users\Admin\AppData\Roaming\XenoManager\Pago_transferencia.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1696
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks.exe" /Create /TN "hns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp117E.tmp" /F
                5⤵
                • Creates scheduled task(s)
                PID:1932

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp117E.tmp
        Filesize

        1KB

        MD5

        4f0f5d9126cb60f7c19762dd4e600d2e

        SHA1

        8411ba63eb40b6744cc1b8b45802fe48d7777722

        SHA256

        b6641d6bf59648f2306c53356dfa57f8cc12e9289df8c9d3e0db4d65d87bfec1

        SHA512

        50418d6667a731047973d725cdccef7bdc04a0db5bc0574adda8736beffd019cd10272ad2d5cbcded250bad585834770e94ca5c1dc25e219462e0765e288e01a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\XenoManager\Pago_transferencia.exe
        Filesize

        242KB

        MD5

        38664a0a401cf3c0fd27e93b4acceee3

        SHA1

        52d52004dd140bbf60e9abe882c0ee758c38ed58

        SHA256

        33d31a4576721d116977faf9687fb9832e95999d28209aabaed55a24a3d6f581

        SHA512

        fba2673d49012caf3e554caa93398bb96c8bd8a93aa51281ec7a5f136b2ebdb99167d0155c4c5e243eb7da81a68d8cbf0ee47900926eaa0164b931d13dfabbf8

        Download Submit
      • memory/2132-1-0x0000000000160000-0x00000000001A6000-memory.dmp
        Filesize

        280KB

        Download
      • memory/2132-2-0x0000000000570000-0x0000000000576000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2132-3-0x0000000000590000-0x00000000005D0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2132-4-0x0000000074480000-0x0000000074B6E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2132-5-0x00000000004B0000-0x00000000004B6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2132-0-0x000000007448E000-0x000000007448F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2132-14-0x0000000074480000-0x0000000074B6E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2608-8-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2608-16-0x0000000074480000-0x0000000074B6E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2608-13-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2608-23-0x0000000074480000-0x0000000074B6E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2608-10-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2876-24-0x0000000000B00000-0x0000000000B46000-memory.dmp
        Filesize

        280KB

        Download