xenorat | fb86d28847ee49fa9a05b08a5d8a064b5883801233f13682761451f93314d4ad

Analysis

max time kernel
70s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

again.exe
Size

45KB
MD5

d315594aa686dfca1d10869c3c2a44cf
SHA1

16590fcebdac3382dbcd8756813a83e5662f68bd
SHA256

fb86d28847ee49fa9a05b08a5d8a064b5883801233f13682761451f93314d4ad
SHA512

6515e84c49dc91881d25e18650a0ed738db0c3a0fdc25b946c040ca34320786e9f9dd48876b06d7acf601e16f9dfb4f3946601cf79a80cdb2328eddebca69b86
SSDEEP

768:RdhO/poiiUcjlJInRTwH9Xqk5nWEZ5SbTDaRWI7CPW5s:Pw+jjgnCH9XqcnW85SbTgWI0

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

10.129.120.194

Mutex

skibidi_nd8912d

Attributes

delay
5000
install_path
appdata
port
4782
startup_name
skibidi

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

again.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation again.exe
Executes dropped EXE 1 IoCs

Processes:

again.exe

pid process

1100 again.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4556 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	again.exe

pid	process
1100	again.exe

pid	process
4556	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

again.exeagain.exe

description	pid	process	target process
PID 5016 wrote to memory of 1100	5016	again.exe	again.exe
PID 5016 wrote to memory of 1100	5016	again.exe	again.exe
PID 5016 wrote to memory of 1100	5016	again.exe	again.exe
PID 1100 wrote to memory of 4556	1100	again.exe	schtasks.exe
PID 1100 wrote to memory of 4556	1100	again.exe	schtasks.exe
PID 1100 wrote to memory of 4556	1100	again.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\again.exe
"C:\Users\Admin\AppData\Local\Temp\again.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Roaming\XenoManager\again.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\again.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "skibidi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp83C6.tmp" /F
3⤵
- Creates scheduled task(s)
PID:4556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\again.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp83C6.tmp
Filesize
1KB

MD5
4a62209cdedfc42731224511b658bcb8

SHA1
087b4da43d98743393f3447d3c57332ab1d1cb3e

SHA256
cea13f60bd9a0160c6866d142d539308c0efb4a1db670dfc116c7ec03eb53ca3

SHA512
07e13b4b617a75aa3c5488294ce189bdc06b073bcf4ab34fe52ef9f8a7453e2ea75bd746da8e0d9e633c67577c6a156bf3013c949f3a8531a17db1e2023083b6

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\again.exe
Filesize
45KB

MD5
d315594aa686dfca1d10869c3c2a44cf

SHA1
16590fcebdac3382dbcd8756813a83e5662f68bd

SHA256
fb86d28847ee49fa9a05b08a5d8a064b5883801233f13682761451f93314d4ad

SHA512
6515e84c49dc91881d25e18650a0ed738db0c3a0fdc25b946c040ca34320786e9f9dd48876b06d7acf601e16f9dfb4f3946601cf79a80cdb2328eddebca69b86

Download Submit
memory/1100-15-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/1100-18-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/5016-0-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/5016-1-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download