xenorat | 2c979bce124c9b38ddc271abd603b742b6b998b4e2df27e5c3260cb4bbe24031 | Triage

Sharing

General

Target

lool.bat
Size

75KB
Sample

240612-17yl9awfnl
MD5

210c28d7e7091f344df74d092b50ed4a
SHA1

6ed289b6635ca3a6cfcdf30f2bd2c9e6e7712a11
SHA256

2c979bce124c9b38ddc271abd603b742b6b998b4e2df27e5c3260cb4bbe24031
SHA512

21771f1243ad54c69b9c3ad841dcf791e68015764870b6cdf9b483fa7f601d65adc9782af80a99c5df58b3a538d2789bdbf732b744790936d5abd28dc1d08659
SSDEEP

1536:um3tLk9b1GjzKddsAjcYy2B815PiJJbkizNvPSPviQLxw:uqz1S5vQA

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
7788
startup_name
lol

Targets

- Target
  
  lool.bat
- Size
  
  75KB
- MD5
  
  210c28d7e7091f344df74d092b50ed4a
- SHA1
  
  6ed289b6635ca3a6cfcdf30f2bd2c9e6e7712a11
- SHA256
  
  2c979bce124c9b38ddc271abd603b742b6b998b4e2df27e5c3260cb4bbe24031
- SHA512
  
  21771f1243ad54c69b9c3ad841dcf791e68015764870b6cdf9b483fa7f601d65adc9782af80a99c5df58b3a538d2789bdbf732b744790936d5abd28dc1d08659
- SSDEEP
  
  1536:um3tLk9b1GjzKddsAjcYy2B815PiJJbkizNvPSPviQLxw:uqz1S5vQA
Score

10^/10

xenorat rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

xenoratrattrojan

behavioral2

xenoratrattrojan