xenorat | 7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f | Triage

Submit
Reports

Overview

overview

Static

static

3

7c43077f84...7f.xll

windows7-x64

7

7c43077f84...7f.xll

windows10-2004-x64

Sharing

General

Target

7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f.xll
Size

820KB
Sample

240616-blz6hsxarl
MD5

0645646e6a417573d0047b6084e4632a
SHA1

d43adf73470cb151a61482d2e5d87f3fa1420717
SHA256

7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f
SHA512

36daebde0a113fae75301f4b3bc09860b6c17788e3f132cd25cf66b1d6b726bf6df4ba80add24009bc1d5fb566359d3e4be6d54456fbbe733059e106f5878f87
SSDEEP

12288:BG1N4HkcgMsiOd58bzbBSrePQ0uqZzD1reWabd/T7ppePgEKB9S4566Gwa:BoOOMX1/+QHT+d77ppqWB9S4Q6y

Score

10^/10

xenorat rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f.xll

Resource

win7-20240220-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f.xll

Resource

win10v2004-20240611-en

xenorat rat trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8889g

Attributes

delay
60000
install_path
appdata
port
1279
startup_name
qns

Targets

- Target
  
  7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f.xll
- Size
  
  820KB
- MD5
  
  0645646e6a417573d0047b6084e4632a
- SHA1
  
  d43adf73470cb151a61482d2e5d87f3fa1420717
- SHA256
  
  7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f
- SHA512
  
  36daebde0a113fae75301f4b3bc09860b6c17788e3f132cd25cf66b1d6b726bf6df4ba80add24009bc1d5fb566359d3e4be6d54456fbbe733059e106f5878f87
- SSDEEP
  
  12288:BG1N4HkcgMsiOd58bzbBSrePQ0uqZzD1reWabd/T7ppePgEKB9S4566Gwa:BoOOMX1/+QHT+d77ppqWB9S4Q6y
Score

10^/10

xenorat rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Detects executables packed with ConfuserEx Mod
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xenoratrattrojan

© 2018-2024

Terms | Privacy