xenorat | 34845dadebb0249756855a3255e6cebebae8f614c45022455d83848c2657c554

Analysis

max time kernel
132s
max time network
142s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34845dadebb0249756855a3255e6cebebae8f614c45022455d83848c2657c554.exe
Size

45KB
MD5

a3c6004fe28bb102e0029496498a72ad
SHA1

d975ddb4423a73152c6c3cb98f716ae034f1d4a5
SHA256

34845dadebb0249756855a3255e6cebebae8f614c45022455d83848c2657c554
SHA512

9e765fe761c83f28131f5346f1f507fa9ad9f8a6e47d513e9a8fd2201f8f41b3255b80cf08c3b0cc897f07ff4bd44d2a9beeaca5f295d165383883e43fd7cf1f
SSDEEP

768:FdhO/poiiUcjlJIngQzH9Xqk5nWEZ5SbTDaqWI7CPW5N:bw+jjgngSH9XqcnW85SbTDWIl

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

192.168.254.187

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
22
startup_name
Windows

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2956	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2956	2400	34845dadebb0249756855a3255e6cebebae8f614c45022455d83848c2657c554.exe	28
PID 2400 wrote to memory of 2956	2400	34845dadebb0249756855a3255e6cebebae8f614c45022455d83848c2657c554.exe	28
PID 2400 wrote to memory of 2956	2400	34845dadebb0249756855a3255e6cebebae8f614c45022455d83848c2657c554.exe	28
PID 2400 wrote to memory of 2956	2400	34845dadebb0249756855a3255e6cebebae8f614c45022455d83848c2657c554.exe	28

C:\Users\Admin\AppData\Local\Temp\34845dadebb0249756855a3255e6cebebae8f614c45022455d83848c2657c554.exe
"C:\Users\Admin\AppData\Local\Temp\34845dadebb0249756855a3255e6cebebae8f614c45022455d83848c2657c554.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "Windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3ABF.tmp" /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3ABF.tmp

Filesize
1KB

MD5
ede64eaa3c93844334f72ba570de9472

SHA1
bdba8745384617651564d2b37c0b739885318944

SHA256
615b3f9732208a105e98a076d374ac87a501b53bc862cc19185936fd1366fb68

SHA512
056dfd298ec1dc695116d40e191e8980bc1afc52bd7ff42a584c583dc6a94ad1ad07c5a13a9bd58c3a831b420b3d721c41e15ef225b12f7f3225f608e47f3a3d

Download Submit
memory/2400-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/2400-4-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download
memory/2400-5-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

Filesize
4KB

Download
memory/2400-6-0x0000000074C60000-0x000000007534E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads