General

  • Target

    884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

  • Size

    235KB

  • Sample

    240702-b4bkwavgrr

  • MD5

    2c2e04484f2c8317df24936703c2b146

  • SHA1

    551562978661e925c8b56489d0fa92635ef6e965

  • SHA256

    884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce

  • SHA512

    abbb705268385861143a59d460d5ecf2fb7e8cb803fb419b4248faa3a6e3d8a2029f5e2265c2fdd5a46b4c32b608e3d89b55746bdac4b5d79796e89f20f7766b

  • SSDEEP

    6144:lyTqCfoPYvHf+/MBeXAQZXZNyVOPyG+SpIOgBHqfWh7VwpSFDFzI:lsNfrqMBCDNysaGvIO2qfWh7VwpSFDF0

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    cms

Targets

    • Target

      884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce.exe

    • Size

      235KB

    • MD5

      2c2e04484f2c8317df24936703c2b146

    • SHA1

      551562978661e925c8b56489d0fa92635ef6e965

    • SHA256

      884b586231504947e47b158b414747323442185162aa32d348f21ce61c9124ce

    • SHA512

      abbb705268385861143a59d460d5ecf2fb7e8cb803fb419b4248faa3a6e3d8a2029f5e2265c2fdd5a46b4c32b608e3d89b55746bdac4b5d79796e89f20f7766b

    • SSDEEP

      6144:lyTqCfoPYvHf+/MBeXAQZXZNyVOPyG+SpIOgBHqfWh7VwpSFDFzI:lsNfrqMBCDNysaGvIO2qfWh7VwpSFDF0

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks