xenorat | b9e61bef0d3bbe426ef78c71f18141967f2622d048fe0f24ccb80cdef75bb27f

Resubmissions

08-06-2024 04:31

240608-e5hmcshh95 10

02-06-2024 08:52

240602-ks7zdahc33 10

Analysis

max time kernel
5s
max time network
143s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08-06-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

incognitobeta.exe
Size

45KB
MD5

e9fc233c0a49d897c3d5d86350986f19
SHA1

fa122e95d3b34518aff46efac9e7f56926b64e40
SHA256

b9e61bef0d3bbe426ef78c71f18141967f2622d048fe0f24ccb80cdef75bb27f
SHA512

de06a67f60959efb9bd89066b81e3ad788b1b49ae10ac19269914470fa7605bea95e3f98e348d2df67baf0efe310b6c2333c29e1d0ca2e6071db185aafecebd4
SSDEEP

768:hdhO/poiiUcjlJIn8tUH9Xqk5nWEZ5SbTDaaWI7CPW5Z:fw+jjgn6UH9XqcnW85SbTjWIh

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

incognito

Attributes

delay
5000
install_path
temp
port
4444
startup_name
USBsupervisor

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Executes dropped EXE 1 IoCs

Processes:

incognitobeta.exe

pid process

4988 incognitobeta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2292 schtasks.exe

pid	process
4988	incognitobeta.exe

pid	process
2292	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

incognitobeta.exe

description	pid	process	target process
PID 4448 wrote to memory of 4988	4448	incognitobeta.exe	incognitobeta.exe
PID 4448 wrote to memory of 4988	4448	incognitobeta.exe	incognitobeta.exe
PID 4448 wrote to memory of 4988	4448	incognitobeta.exe	incognitobeta.exe

C:\Users\Admin\AppData\Local\Temp\incognitobeta.exe
"C:\Users\Admin\AppData\Local\Temp\incognitobeta.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\XenoManager\incognitobeta.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\incognitobeta.exe"
2⤵
- Executes dropped EXE
PID:4988

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "USBsupervisor" /XML "C:\Users\Admin\AppData\Local\Temp\tmp72AF.tmp" /F
3⤵
- Creates scheduled task(s)
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\incognitobeta.exe.log
Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoManager\incognitobeta.exe
Filesize
45KB

MD5
e9fc233c0a49d897c3d5d86350986f19

SHA1
fa122e95d3b34518aff46efac9e7f56926b64e40

SHA256
b9e61bef0d3bbe426ef78c71f18141967f2622d048fe0f24ccb80cdef75bb27f

SHA512
de06a67f60959efb9bd89066b81e3ad788b1b49ae10ac19269914470fa7605bea95e3f98e348d2df67baf0efe310b6c2333c29e1d0ca2e6071db185aafecebd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp72AF.tmp
Filesize
1KB

MD5
0ee58773051bcc7078f9f29474b1eadd

SHA1
7f49e6cfd836b54c08f966e32c9f1f5670fe3dfb

SHA256
ebc60f1db998381cbe8a1a62ff1fef0516f8ba2b03ca61883de1238581b48338

SHA512
3e68474c21230eae6197f5dbd2aa35fe7208fa9fa2f3687cdd5e2f7c3b75272552a85e3979617c00c58a97e2660a3eaee183c8f0c9599f7da2de23ddd72f328c

Download Submit
memory/4448-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

Filesize
4KB

Download
memory/4448-1-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download
memory/4988-9-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/4988-12-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download
memory/4988-13-0x0000000073FB0000-0x000000007469E000-memory.dmp

Filesize
6.9MB

Download