Overview

overview

10

Static

static

3

7c43077f84...7f.xll

windows7-x64

7

7c43077f84...7f.xll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f.xll

  • Size

    820KB

  • Sample

    240616-blz6hsxarl

  • MD5

    0645646e6a417573d0047b6084e4632a

  • SHA1

    d43adf73470cb151a61482d2e5d87f3fa1420717

  • SHA256

    7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f

  • SHA512

    36daebde0a113fae75301f4b3bc09860b6c17788e3f132cd25cf66b1d6b726bf6df4ba80add24009bc1d5fb566359d3e4be6d54456fbbe733059e106f5878f87

  • SSDEEP

    12288:BG1N4HkcgMsiOd58bzbBSrePQ0uqZzD1reWabd/T7ppePgEKB9S4566Gwa:BoOOMX1/+QHT+d77ppqWB9S4Q6y

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8889g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1279

  • startup_name

    qns

Targets

    • Target

      7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f.xll

    • Size

      820KB

    • MD5

      0645646e6a417573d0047b6084e4632a

    • SHA1

      d43adf73470cb151a61482d2e5d87f3fa1420717

    • SHA256

      7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f

    • SHA512

      36daebde0a113fae75301f4b3bc09860b6c17788e3f132cd25cf66b1d6b726bf6df4ba80add24009bc1d5fb566359d3e4be6d54456fbbe733059e106f5878f87

    • SSDEEP

      12288:BG1N4HkcgMsiOd58bzbBSrePQ0uqZzD1reWabd/T7ppePgEKB9S4566Gwa:BoOOMX1/+QHT+d77ppqWB9S4Q6y

    Score
    10/10
    xenoratrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Detects executables packed with ConfuserEx Mod

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks