Overview

overview

10

Static

static

3

c99818a50f...c5.xll

windows7-x64

7

c99818a50f...c5.xll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    568383287c850ef98c2fde1c642870f2.bin

  • Size

    581KB

  • Sample

    240617-b1nq2asekp

  • MD5

    678994954489928adc6a944d3f1e6c2d

  • SHA1

    f483bb04073f9a18221e1210f61f79116ac865ab

  • SHA256

    2ee6cf040995d16cd63d95e2bb9216cfa96960d2866e533ec5152bda51b8c860

  • SHA512

    30645b5227049505add0c190b576a26aa78f1140edd11a79903e3d2232b7713035134cd6b649ccd175f9eddaa83638edfeea2f4a34ec0abd09a008e6bf5417da

  • SSDEEP

    12288:qhkVgfvifaXphKtS2Ds1fFhiKlLbmBOIcZDyhzOEjLo:q+Vgfv/XpcZDsVjiKlLbmgI8Dq66o

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8889g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1279

  • startup_name

    qns

Targets

    • Target

      c99818a50f8c02af5204158301bf8552993c03ade20f2016b5997d440d2297c5.xll

    • Size

      819KB

    • MD5

      568383287c850ef98c2fde1c642870f2

    • SHA1

      f8487d82118c0439545fddde534bdde0250885ee

    • SHA256

      c99818a50f8c02af5204158301bf8552993c03ade20f2016b5997d440d2297c5

    • SHA512

      11e5d1b7eb2113a5d283e01ea715479f84fb401a2f0940639368cf4453f0a478c8af905aae8fdb3b05c9a090f4838cbfb9b5f0ec509d533b8ffc36ad858df3a0

    • SSDEEP

      12288:1G1N4HkcgMsiOd58bzbBSreqQ0uqZzD1reWabd/84QKycycwU636x2Cd5J:1oOOMX16+QHT+dbQKZBxP5

    Score
    10/10
    xenoratrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks