General

  • Target

    231733d95aea19422658b004868f2634ff992714a533839e4c8cb94859ab619c.exe

  • Size

    242KB

  • Sample

    240601-bgvp8scc2s

  • MD5

    b5221ebcf592f06fa5916e035330d0f1

  • SHA1

    97280f900cccbc2ca7662d77029c42cab0514073

  • SHA256

    231733d95aea19422658b004868f2634ff992714a533839e4c8cb94859ab619c

  • SHA512

    1767eec0e4973f279a4d8d5fef31cca4567f484039c685631ea70858f84671524a040e6b3e229572b1425544516b1d135164383d98b6b6077225145916cc6a9e

  • SSDEEP

    6144:ncuU50otq3N4hlZG7ZpWO/2/puk/z26e97l1fsHH44I:ncugONsTYZp328kL26e97l1fsHH4l

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Jolid_rat_nd8889g

Attributes
  • delay

    61000

  • install_path

    appdata

  • port

    1284

  • startup_name

    hns

Targets

    • Target

      231733d95aea19422658b004868f2634ff992714a533839e4c8cb94859ab619c.exe

    • Size

      242KB

    • MD5

      b5221ebcf592f06fa5916e035330d0f1

    • SHA1

      97280f900cccbc2ca7662d77029c42cab0514073

    • SHA256

      231733d95aea19422658b004868f2634ff992714a533839e4c8cb94859ab619c

    • SHA512

      1767eec0e4973f279a4d8d5fef31cca4567f484039c685631ea70858f84671524a040e6b3e229572b1425544516b1d135164383d98b6b6077225145916cc6a9e

    • SSDEEP

      6144:ncuU50otq3N4hlZG7ZpWO/2/puk/z26e97l1fsHH44I:ncugONsTYZp328kL26e97l1fsHH4l

    Score
    10/10
    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Detects executables packed with ConfuserEx Mod

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks