Overview

overview

10

Static

static

3

c99818a50f...c5.xll

windows7-x64

7

c99818a50f...c5.xll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c99818a50f8c02af5204158301bf8552993c03ade20f2016b5997d440d2297c5.xll

  • Size

    819KB

  • Sample

    240616-btsfmstdph

  • MD5

    568383287c850ef98c2fde1c642870f2

  • SHA1

    f8487d82118c0439545fddde534bdde0250885ee

  • SHA256

    c99818a50f8c02af5204158301bf8552993c03ade20f2016b5997d440d2297c5

  • SHA512

    11e5d1b7eb2113a5d283e01ea715479f84fb401a2f0940639368cf4453f0a478c8af905aae8fdb3b05c9a090f4838cbfb9b5f0ec509d533b8ffc36ad858df3a0

  • SSDEEP

    12288:1G1N4HkcgMsiOd58bzbBSreqQ0uqZzD1reWabd/84QKycycwU636x2Cd5J:1oOOMX16+QHT+dbQKZBxP5

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8889g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1279

  • startup_name

    qns

Targets

    • Target

      c99818a50f8c02af5204158301bf8552993c03ade20f2016b5997d440d2297c5.xll

    • Size

      819KB

    • MD5

      568383287c850ef98c2fde1c642870f2

    • SHA1

      f8487d82118c0439545fddde534bdde0250885ee

    • SHA256

      c99818a50f8c02af5204158301bf8552993c03ade20f2016b5997d440d2297c5

    • SHA512

      11e5d1b7eb2113a5d283e01ea715479f84fb401a2f0940639368cf4453f0a478c8af905aae8fdb3b05c9a090f4838cbfb9b5f0ec509d533b8ffc36ad858df3a0

    • SSDEEP

      12288:1G1N4HkcgMsiOd58bzbBSreqQ0uqZzD1reWabd/84QKycycwU636x2Cd5J:1oOOMX16+QHT+dbQKZBxP5

    Score
    10/10
    xenoratrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Detects executables packed with ConfuserEx Mod

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks