xenorat | hxxps://raw[.]githubusercontent[.]com/IncsecRishie/wdwddwdw/main/something[.]exe | Triage

Sharing

General

Target

https://raw.githubusercontent.com/IncsecRishie/wdwddwdw/main/something.exe
Sample

240701-mx4hvszhrp

Score

10^/10

xenorat persistence rat trojan

Malware Config

Extracted

Family

xenorat

C2

91.92.245.171

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
5764
startup_name
Chrome

Targets

- Target
  
  https://raw.githubusercontent.com/IncsecRishie/wdwddwdw/main/something.exe
Score

10^/10

xenorat persistence rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

urlscan1

behavioral1

xenoratpersistencerattrojan