xenorat | 639ef6c263e48a4e6d3c2ffe628c85351d51df4a58955d0fdf64a8764812cca0 | Triage

Submit
Reports

Overview

overview

Static

static

3

Odeme_Takv...24.xll

windows7-x64

7

Odeme_Takv...24.xll

windows10-2004-x64

Sharing

General

Target

Odeme_Takvimi_Ocak-2024.xll
Size

832KB
Sample

240614-qcm7xswakl
MD5

a18a3a3e81558c30701a5d28fbea50db
SHA1

044a8edc053be2fa5dff2565b4f08906c51f5a91
SHA256

639ef6c263e48a4e6d3c2ffe628c85351d51df4a58955d0fdf64a8764812cca0
SHA512

d6758fefe0955c5be4fa9dada657e61db294b6039d4be1781cc474ba001bbcd131c49102e26fa2f699c77084548c60b29c9dc15a8ab42cef10f779b243600db6
SSDEEP

12288:7G1N4HkcgMsiOd58bzbBSreqQ0uqZzD1reWabd/50+m70avcUthVLFH1Lo:7oOOMX16+QHT+dB0+m70qve

Score

10^/10

xenorat rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Odeme_Takvimi_Ocak-2024.xll

Resource

win7-20240611-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

Odeme_Takvimi_Ocak-2024.xll

Resource

win10v2004-20240611-en

xenorat rat trojan

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

xenorat

C2

salutoepiesircam.sytes.net

Mutex

Xeno_rat_nd8911d

Attributes

delay
5000
install_path
appdata
port
4450
startup_name
setting

Targets

- Target
  
  Odeme_Takvimi_Ocak-2024.xll
- Size
  
  832KB
- MD5
  
  a18a3a3e81558c30701a5d28fbea50db
- SHA1
  
  044a8edc053be2fa5dff2565b4f08906c51f5a91
- SHA256
  
  639ef6c263e48a4e6d3c2ffe628c85351d51df4a58955d0fdf64a8764812cca0
- SHA512
  
  d6758fefe0955c5be4fa9dada657e61db294b6039d4be1781cc474ba001bbcd131c49102e26fa2f699c77084548c60b29c9dc15a8ab42cef10f779b243600db6
- SSDEEP
  
  12288:7G1N4HkcgMsiOd58bzbBSreqQ0uqZzD1reWabd/50+m70avcUthVLFH1Lo:7oOOMX16+QHT+dB0+m70qve
Score

10^/10

xenorat rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

xenoratrattrojan

© 2018-2024

Terms | Privacy