General

  • Target

    cfc72b24ecdc6d7ef3364324f33c0701ec116c86c3b7b4af2f32d309a218f7cf.exe

  • Size

    243KB

  • Sample

    240606-l83j9scg7w

  • MD5

    b101dee2fdf011dfcdf4e3e55038ae75

  • SHA1

    fe8ae6b6e0f3ae4123d0cc564a23bf80d3109a92

  • SHA256

    cfc72b24ecdc6d7ef3364324f33c0701ec116c86c3b7b4af2f32d309a218f7cf

  • SHA512

    3cb6b2ba2a8ac22b4b832c340d495343dbd39bb70c5be4ca66b8340debd60f3a374a72da4e89b73f86f7d8d1d527fdbaf27bcb9a3418868e8230604fef98477f

  • SSDEEP

    6144:Mg8trm+0369KcYpX38LHoFq1ZO8CzYL3qC2WuI:T8trm+CEslGHZ108CzYL3qC2WT

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes
  • delay

    61000

  • install_path

    appdata

  • port

    1283

  • startup_name

    bns

Targets

    • Target

      cfc72b24ecdc6d7ef3364324f33c0701ec116c86c3b7b4af2f32d309a218f7cf.exe

    • Size

      243KB

    • MD5

      b101dee2fdf011dfcdf4e3e55038ae75

    • SHA1

      fe8ae6b6e0f3ae4123d0cc564a23bf80d3109a92

    • SHA256

      cfc72b24ecdc6d7ef3364324f33c0701ec116c86c3b7b4af2f32d309a218f7cf

    • SHA512

      3cb6b2ba2a8ac22b4b832c340d495343dbd39bb70c5be4ca66b8340debd60f3a374a72da4e89b73f86f7d8d1d527fdbaf27bcb9a3418868e8230604fef98477f

    • SSDEEP

      6144:Mg8trm+0369KcYpX38LHoFq1ZO8CzYL3qC2WuI:T8trm+CEslGHZ108CzYL3qC2WT

    Score
    10/10
    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks