General

  • Target

    0-3.eml

  • Size

    248KB

  • Sample

    240606-qj6mvafe93

  • MD5

    2b8c502ee0546972ad12e4b9f0060ae8

  • SHA1

    bff9687dc664085f2f1bf4f4dfec3601d2921af8

  • SHA256

    b0133c97a9a0544fa87b9dede635be6a34c6352e3ab359a282702a782184571e

  • SHA512

    43d39b330540c5044171c5af34e1b95a445ad393f7bbc09adfa30c2db287327f4dd0c95f6abf7a4fed2ba36b7088cff3fdb0b6c48fc268f70e0c2e7b8ca19586

  • SSDEEP

    6144:hmLcuzkCaAhWsssHhnOJh2uxYyZRPgejc:ALTzkCthWRKO7PxYcgn

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Rolid_rat_nd8889g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1278

  • startup_name

    mns

Targets

    • Target

      Pago652024.exe

    • Size

      222KB

    • MD5

      8a522f9786f61b5bd677d7a8ed6bd1aa

    • SHA1

      06fdb9d40c9b6448fd8c1a47595eb3e8b3e9ed29

    • SHA256

      e4d55c94e2904333166dc800a24bb13f97f8ceaf8815bbc133f3ac40dd4211f2

    • SHA512

      e79c2be732536b4db756280d889b2021b31396ec669368796d507d7238be27984239d367bf22d9d1dea615b85b5b5b96677a08a383e28272a432988e537deabd

    • SSDEEP

      6144:0kE+cZHhNRHvo14E92D08KHKIpRfvv0upeG2wxywW0pS/i1SbUI:0kpcZB/PoODOEuYG2wxywW0pS/i1SbB

    Score
    10/10
    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks