Overview

overview

10

Static

static

3

8eaf377f8f...c7.xll

windows7-x64

7

8eaf377f8f...c7.xll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5475ac0337614b9651483ca83628c38f.bin

  • Size

    581KB

  • Sample

    240617-b1kpdasekm

  • MD5

    bdee83cc25a6028993abd42ac06db4e4

  • SHA1

    3f8effd698102f35fba71d784ee9737b3fad31b9

  • SHA256

    d5b5e661f87559ceb5192f9e7c01f357c2762d26daff88fe308bb1141eaf2e40

  • SHA512

    539d2f68f712cf190e693a916d3ba1daf3e49160752a2197a992ce1e3587dfc610072375b6bf2c47110b4af02a5893b2fa1eae58eb9b060c771ab04572e408bb

  • SSDEEP

    12288:KUZRZIAMX9GiNXpdwSl+p8YBCEdb09WAlmQ7S2KG8jQ2Ihi:K2RePZpl+IEd4t22KGmZ

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8889g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1279

  • startup_name

    qns

Targets

    • Target

      8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7.xll

    • Size

      819KB

    • MD5

      5475ac0337614b9651483ca83628c38f

    • SHA1

      d03d0806bb24207780b441a090e3ff9e9d263929

    • SHA256

      8eaf377f8fc59bb93ada3e1f94571ebbbc3d3732475c86239ee72e4c1f2f31c7

    • SHA512

      d4d7d417fbadb98ac94e728c994b4ae7abc505632a1eb79d8f8193c71daa7bbbf2aa709713ec94ffa9b645dcf02b06907cd3fe1538840dfc22411c229bbcdb8c

    • SSDEEP

      12288:xG1N4HkcgMsiOd58bzbBSre6Q0uqZzD1reWabd/dbNZEEx/DLn0vkYHipwyA:xoOOMX1K+QHT+d9NZdxYHip

    Score
    10/10
    xenoratrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks