xenorat | c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0

General

Target

4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
Size

45KB
MD5

4d820f671919b3029173d8659aa59600
SHA1

af68a0b9e9c58dcbdd2ede205c30537bca39650c
SHA256

c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
SHA512

5db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e
SSDEEP

768:1dhO/poiiUcjlJInVZZbH9Xqk5nWEZ5SbTDacuI7CPW5r:Lw+jjgndbH9XqcnW85SbT5uIj

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

performance-ha.gl.at.ply.gg

Mutex

Putty

Attributes

delay
5000
install_path
appdata
port
33365
startup_name
Windows Updater

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Executes dropped EXE 1 IoCs

Processes:

4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe

pid process

2388 4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
Loads dropped DLL 1 IoCs

Processes:

4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe

pid process

2208 4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2708 schtasks.exe

pid	process
2388	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe

pid	process
2208	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe

pid	process
2708	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe

description	pid	process	target process
PID 2208 wrote to memory of 2388	2208	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
PID 2208 wrote to memory of 2388	2208	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
PID 2208 wrote to memory of 2388	2208	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
PID 2208 wrote to memory of 2388	2208	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
PID 2388 wrote to memory of 2708	2388	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	schtasks.exe
PID 2388 wrote to memory of 2708	2388	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	schtasks.exe
PID 2388 wrote to memory of 2708	2388	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	schtasks.exe
PID 2388 wrote to memory of 2708	2388	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Roaming\XenoManager\4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6799.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6799.tmp

Filesize
1KB

MD5
0d5998d519bdbcdfea1035fa184520df

SHA1
d882478fd45a0dd33c2055367b46c171951523fc

SHA256
27b13c8dd72e744aa6b19ef575148b06ff34adfa18e6d4b59872019ac66322f0

SHA512
9c87e5a1a0b91d35aea917ccedb54a4a1e44ff44a58cb706f8086d626023e4391dbc76585cefc607f27d84b35c3b69f8fe4f68e13e1165e10189fe1f657aa47d

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe

Filesize
45KB

MD5
4d820f671919b3029173d8659aa59600

SHA1
af68a0b9e9c58dcbdd2ede205c30537bca39650c

SHA256
c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0

SHA512
5db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e

Download Submit
memory/2208-0-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2388-9-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/2388-10-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-13-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-14-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-15-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads