Overview

overview

10

Static

static

10

pics.exe

windows7-x64

10

pics.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    pics.exe

  • Size

    45KB

  • Sample

    240621-g2eseazcpb

  • MD5

    a02107a30c960620ce21bd2030442feb

  • SHA1

    51ff3d68754c8b39479649691d5fcc1179fa07b6

  • SHA256

    3e85bcf513c45d1d4ff742714cdde33230115c4a64a74d46770b3f62ad7a1c7d

  • SHA512

    ed16c4048c255dbf80770f9fedbac6d8e4604d64cc7040a8d69a314c68313eed04bf1683dd14f9619e3b0d81756b3ed044f7a4768c0c0588f7d4b893f8ff2299

  • SSDEEP

    768:9dhO/poiiUcjlJInpylF2I8H9Xqk5nWEZ5SbTDaauI7CPW57:zw+jjgnAlF2I8H9XqcnW85SbTXuIj

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.245.171

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    5764

  • startup_name

    Chrome

Targets

    • Target

      pics.exe

    • Size

      45KB

    • MD5

      a02107a30c960620ce21bd2030442feb

    • SHA1

      51ff3d68754c8b39479649691d5fcc1179fa07b6

    • SHA256

      3e85bcf513c45d1d4ff742714cdde33230115c4a64a74d46770b3f62ad7a1c7d

    • SHA512

      ed16c4048c255dbf80770f9fedbac6d8e4604d64cc7040a8d69a314c68313eed04bf1683dd14f9619e3b0d81756b3ed044f7a4768c0c0588f7d4b893f8ff2299

    • SSDEEP

      768:9dhO/poiiUcjlJInpylF2I8H9Xqk5nWEZ5SbTDaauI7CPW57:zw+jjgnAlF2I8H9XqcnW85SbTXuIj

    Score
    10/10
    xenoratratspywarestealertrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks