xenorat | 7c4c85dc3b36fcec57a3eb5a21eacf1e9cff0745c25c317036b927cb85d24182

Analysis

max time kernel
132s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16937.exe
Size

45KB
MD5

7302cc01869548ae491f52a9a37a6bb2
SHA1

9450bd5b7d14408e058f16d2305cda6f1ebd102e
SHA256

7c4c85dc3b36fcec57a3eb5a21eacf1e9cff0745c25c317036b927cb85d24182
SHA512

3a6bd57ab2d30414521f1e0ef918e158b18dabbca9d68dd35a99bb3e97e0e3982d11e496354dbdbe3a65395d5bb1195a77d657d25f40185bbe795883b4de5754
SSDEEP

768:ddhO/poiiUcjlJInSzH9Xqk5nWEZ5SbTDaVWI7CPW52:Tw+jjgnAH9XqcnW85SbT8WI+

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

192.168.100.78

Mutex

Putty

Attributes

delay
5000
install_path
appdata
port
4782
startup_name
Windows Updater

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

16937.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 16937.exe
Executes dropped EXE 1 IoCs

Processes:

16937.exe

pid process

3220 16937.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5044 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	16937.exe

pid	process
3220	16937.exe

pid	process
5044	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

16937.exe16937.exe

description	pid	process	target process
PID 5064 wrote to memory of 3220	5064	16937.exe	16937.exe
PID 5064 wrote to memory of 3220	5064	16937.exe	16937.exe
PID 5064 wrote to memory of 3220	5064	16937.exe	16937.exe
PID 3220 wrote to memory of 5044	3220	16937.exe	schtasks.exe
PID 3220 wrote to memory of 5044	3220	16937.exe	schtasks.exe
PID 3220 wrote to memory of 5044	3220	16937.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\16937.exe
"C:\Users\Admin\AppData\Local\Temp\16937.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Roaming\XenoManager\16937.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\16937.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp62E0.tmp" /F
3⤵
- Creates scheduled task(s)
PID:5044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\16937.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp62E0.tmp
Filesize
1KB

MD5
3387ed92c6d37fb1634bd442f8842f1d

SHA1
0c586d7001fe90fc1020a7073ea91ab27be58f24

SHA256
6d382e661e58aed7c8b40a8ba8d5f48d646cc606747853dfa7217af65eb2276b

SHA512
3610059b8c6b8a7dd81cd838957e20525dd45862c3df2e13f96e8d5700e537ec37f9a8df35d1ac9e6a129d84780639b9c8215e6930e4af3a4bbbc6da23913b55

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\16937.exe
Filesize
45KB

MD5
7302cc01869548ae491f52a9a37a6bb2

SHA1
9450bd5b7d14408e058f16d2305cda6f1ebd102e

SHA256
7c4c85dc3b36fcec57a3eb5a21eacf1e9cff0745c25c317036b927cb85d24182

SHA512
3a6bd57ab2d30414521f1e0ef918e158b18dabbca9d68dd35a99bb3e97e0e3982d11e496354dbdbe3a65395d5bb1195a77d657d25f40185bbe795883b4de5754

Download Submit
memory/3220-15-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3220-18-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/5064-0-0x00000000751EE000-0x00000000751EF000-memory.dmp

Filesize
4KB

Download
memory/5064-1-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download