xenorat | 2c979bce124c9b38ddc271abd603b742b6b998b4e2df27e5c3260cb4bbe24031

General

Target

lool.bat
Size

75KB
MD5

210c28d7e7091f344df74d092b50ed4a
SHA1

6ed289b6635ca3a6cfcdf30f2bd2c9e6e7712a11
SHA256

2c979bce124c9b38ddc271abd603b742b6b998b4e2df27e5c3260cb4bbe24031
SHA512

21771f1243ad54c69b9c3ad841dcf791e68015764870b6cdf9b483fa7f601d65adc9782af80a99c5df58b3a538d2789bdbf732b744790936d5abd28dc1d08659
SSDEEP

1536:um3tLk9b1GjzKddsAjcYy2B815PiJJbkizNvPSPviQLxw:uqz1S5vQA

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
7788
startup_name
lol

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Executes dropped EXE 2 IoCs

Processes:

x.exex.exe

pid process

1132 x.exe
2240 x.exe
Loads dropped DLL 1 IoCs

Processes:

x.exe

pid process

1132 x.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1504 schtasks.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

x.exe

pid process

1132 x.exe

pid	process
1132	x.exe
2240	x.exe

pid	process
1132	x.exe

pid	process
1504	schtasks.exe

pid	process
1132	x.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cmd.exex.exex.exe

description	pid	process	target process
PID 2284 wrote to memory of 1720	2284	cmd.exe	findstr.exe
PID 2284 wrote to memory of 1720	2284	cmd.exe	findstr.exe
PID 2284 wrote to memory of 1720	2284	cmd.exe	findstr.exe
PID 2284 wrote to memory of 2920	2284	cmd.exe	cscript.exe
PID 2284 wrote to memory of 2920	2284	cmd.exe	cscript.exe
PID 2284 wrote to memory of 2920	2284	cmd.exe	cscript.exe
PID 2284 wrote to memory of 1132	2284	cmd.exe	x.exe
PID 2284 wrote to memory of 1132	2284	cmd.exe	x.exe
PID 2284 wrote to memory of 1132	2284	cmd.exe	x.exe
PID 2284 wrote to memory of 1132	2284	cmd.exe	x.exe
PID 1132 wrote to memory of 2240	1132	x.exe	x.exe
PID 1132 wrote to memory of 2240	1132	x.exe	x.exe
PID 1132 wrote to memory of 2240	1132	x.exe	x.exe
PID 1132 wrote to memory of 2240	1132	x.exe	x.exe
PID 2240 wrote to memory of 1504	2240	x.exe	schtasks.exe
PID 2240 wrote to memory of 1504	2240	x.exe	schtasks.exe
PID 2240 wrote to memory of 1504	2240	x.exe	schtasks.exe
PID 2240 wrote to memory of 1504	2240	x.exe	schtasks.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\lool.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\system32\findstr.exe
findstr /e "'v" "C:\Users\Admin\AppData\Local\Temp\lool.bat"
2⤵
PID:1720

C:\Windows\system32\cscript.exe
cscript //nologo C:\Users\Admin\AppData\Local\Temp\x.vbs
2⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\x.exe
C:\Users\Admin\AppData\Local\Temp\x.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Roaming\XenoManager\x.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\x.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "lol" /XML "C:\Users\Admin\AppData\Local\Temp\tmp225F.tmp" /F
4⤵
- Creates scheduled task(s)
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp225F.tmp
Filesize
1KB

MD5
0d56c8b55981340ffccdfc4fdc5e8f34

SHA1
52b649f6cf05225c3e2816028c4328b589afe1a4

SHA256
da61b813aeb372324e29b32c5f5bf6059a1e9734e838c6bfe65e4dfbc631a3ca

SHA512
5ee0384c2e6b9f76609d01aff3cfd346a1e01696a2b644e682da049c92ca8c4c2995ba8f1c8df8e0b15f7cc56989a8833cb4a890ca5a16cb03fc7cc239b79b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
4KB

MD5
afc9d6ee61525f103d640290d4f33499

SHA1
850c748365d8e3ce2d724ce1b2f92f5629bb0ed7

SHA256
cb460e45c1015ef7b51ea09323169f04ee5d10e782762d24eaee99217bdd5747

SHA512
f202d0a127ada98854fd52a9ab06e35f8330bd7869bca5a685be0407106c7a527667aabd13694eea52087abe9a4aca4aaa5f3361ccea4e1d5b15a064d61a1f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
1KB

MD5
6d307cb7e2f0c08fe889461163bd12c8

SHA1
9e3abacce23a15975999cb2ff8cf9d4b449304d6

SHA256
55d96d6d45121d5603b11a818b8425b31bc971e7631219b3e2a524802fd9ccc4

SHA512
7f565c8c1862a7a48077d3dc9251e2bb3bf799a123b4b0c257cd84c180da66b87e693fb16cf6449b617c852ed8852329cf8e974a318220e6687d1c7465b89c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\x
Filesize
62KB

MD5
1821eb47df91d5cb462841ec783c3583

SHA1
009e3c0dc9d8d6e8e23605810c9f184703ef3bc9

SHA256
ad2ac4c76a314f402bfab75d4bf0b01b5acc2b7048170f849a1245aebccda69d

SHA512
b087033b816410e5425f6c16c5a4dfce9b3b1dbac27094e055fe81e5b64ab439d54c5c07965476ec99f9577cd644c05f8e2d0a7514846fc80353eb2d1646cb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe
Filesize
45KB

MD5
688d041d85af4d0c5063bed1e9147f57

SHA1
e67fbf716a7622f2ce8f016b8843d228d023e3ba

SHA256
b96a56bd3aeb0f9c7e71ec19d9170b7e0a6e2f647c2cbebc0789866f2ec09458

SHA512
79a55b5b6df46a95e82d1085893f8979e0f4c39e3dedbe3d4efeabde0274eef37c6a56a76b92c96a0dcb1dcd48648a4ed55209eab91d1cff45e7898564fe1720

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.vbs
Filesize
380B

MD5
ec9a2fb69a379d913a4e0a953cd3b97c

SHA1
a0303ed9f787c042071a1286bba43a5bbdd0679e

SHA256
cf8268d158bb819ef158ff6ccbed64d5e379148a0adb1f73a082a01d56d0286b

SHA512
fef8e24a680991046bd7dacd6079c7e48c3031fe46caae722ea93797ee16c052073ba97959e992ea71ac7ab72fbcedaa5cf4a410657aac4c10ad24de6935e9d6

Download Submit
memory/1132-894-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/1132-895-0x00000000012E0000-0x00000000012F2000-memory.dmp

Filesize
72KB

Download
memory/2240-903-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads