General

  • Target

    incognitobeta.exe

  • Size

    45KB

  • Sample

    240602-kq2dtahb64

  • MD5

    e9fc233c0a49d897c3d5d86350986f19

  • SHA1

    fa122e95d3b34518aff46efac9e7f56926b64e40

  • SHA256

    b9e61bef0d3bbe426ef78c71f18141967f2622d048fe0f24ccb80cdef75bb27f

  • SHA512

    de06a67f60959efb9bd89066b81e3ad788b1b49ae10ac19269914470fa7605bea95e3f98e348d2df67baf0efe310b6c2333c29e1d0ca2e6071db185aafecebd4

  • SSDEEP

    768:hdhO/poiiUcjlJIn8tUH9Xqk5nWEZ5SbTDaaWI7CPW5Z:fw+jjgn6UH9XqcnW85SbTjWIh

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

incognito

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    4444

  • startup_name

    USBsupervisor

Targets

    • Target

      incognitobeta.exe

    • Size

      45KB

    • MD5

      e9fc233c0a49d897c3d5d86350986f19

    • SHA1

      fa122e95d3b34518aff46efac9e7f56926b64e40

    • SHA256

      b9e61bef0d3bbe426ef78c71f18141967f2622d048fe0f24ccb80cdef75bb27f

    • SHA512

      de06a67f60959efb9bd89066b81e3ad788b1b49ae10ac19269914470fa7605bea95e3f98e348d2df67baf0efe310b6c2333c29e1d0ca2e6071db185aafecebd4

    • SSDEEP

      768:hdhO/poiiUcjlJIn8tUH9Xqk5nWEZ5SbTDaaWI7CPW5Z:fw+jjgn6UH9XqcnW85SbTjWIh

    Score
    10/10
    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks