Overview

overview

10

Static

static

3

7c43077f84...7f.xll

windows7-x64

7

7c43077f84...7f.xll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0645646e6a417573d0047b6084e4632a.bin

  • Size

    582KB

  • Sample

    240617-bcy7vs1cmq

  • MD5

    ef86109090232d2ebf6daf8e611c2955

  • SHA1

    133d5d69eb94bb1b6e15ff6e68d47646d0ab759c

  • SHA256

    a0ba9c55499cf890a27dfcdee222d751e9d03aef0fbfd8f35d8d199ec4157e27

  • SHA512

    df44fe66f91829fc3e510a64201ac6e3420de539c45b84f24b46d847c371a26d18f392d876883ddaebc88cfd0ccf528f19bd9508f4300810c8c2ddaf587e00f0

  • SSDEEP

    12288:FZJcxjDnRmxv61MjHjaKbQPmBM+V+lYD0bpZ+L6z:RcDnExv66jHjaKbQO+Jm0rVz

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8889g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1279

  • startup_name

    qns

Targets

    • Target

      7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f.xll

    • Size

      820KB

    • MD5

      0645646e6a417573d0047b6084e4632a

    • SHA1

      d43adf73470cb151a61482d2e5d87f3fa1420717

    • SHA256

      7c43077f843fcf5ad00e36587087929c73702171bfb36e4c5007ea54df09e37f

    • SHA512

      36daebde0a113fae75301f4b3bc09860b6c17788e3f132cd25cf66b1d6b726bf6df4ba80add24009bc1d5fb566359d3e4be6d54456fbbe733059e106f5878f87

    • SSDEEP

      12288:BG1N4HkcgMsiOd58bzbBSrePQ0uqZzD1reWabd/T7ppePgEKB9S4566Gwa:BoOOMX1/+QHT+d77ppqWB9S4Q6y

    Score
    10/10
    xenoratrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks