General

  • Target

    UnamBinder.exe

  • Size

    9.4MB

  • Sample

    240702-ztp8aaygkc

  • MD5

    70565dbd654937df2eaefc7c79941169

  • SHA1

    5cb8daf1185704a9772f07dcec2e499149517715

  • SHA256

    a90ba5a56422c0d2a41f28da056affd69cc8929e14dcdab1583ec96b50b8e28d

  • SHA512

    64b89f77d6528c838c0288c59203455ea3318028816d4426f818c6b8c3258d8e5e13242b175d7b3402547cfd5a0acddb212b9f9b5bbf5d259cd4befc2d078a4c

  • SSDEEP

    196608:g81oBGyk1BK5Gf01Up2GRlRaNqg4eS+wDjxx1ohqsIOGvuQdaQ:g46GykqGf5sGRT2qFP+GDAqkG2i

Malware Config

Extracted

Family

xenorat

C2

37.120.141.155

Mutex

SteamUDP_FULL

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    22914

  • startup_name

    SteamUDPUpdater

Targets

    • Target

      UnamBinder.exe

    • Size

      9.4MB

    • MD5

      70565dbd654937df2eaefc7c79941169

    • SHA1

      5cb8daf1185704a9772f07dcec2e499149517715

    • SHA256

      a90ba5a56422c0d2a41f28da056affd69cc8929e14dcdab1583ec96b50b8e28d

    • SHA512

      64b89f77d6528c838c0288c59203455ea3318028816d4426f818c6b8c3258d8e5e13242b175d7b3402547cfd5a0acddb212b9f9b5bbf5d259cd4befc2d078a4c

    • SSDEEP

      196608:g81oBGyk1BK5Gf01Up2GRlRaNqg4eS+wDjxx1ohqsIOGvuQdaQ:g46GykqGf5sGRT2qFP+GDAqkG2i

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks