Overview

overview

10

Static

static

3

1cc823962d...d9.exe

windows7-x64

10

1cc823962d...d9.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0551dcf55adc23a07d56580729730d50.bin

  • Size

    193KB

  • Sample

    240703-bcv57stblm

  • MD5

    457d81a8e8406b222d763aa91f2f34b3

  • SHA1

    089ff1f5f7a8ee3ec741b0137002e7b5951bc0a8

  • SHA256

    5d90f816922a775af1e53bd81f95caba14df600fca8203f1c90e000939952383

  • SHA512

    9c7ee93ab5c001ddc3c9f2a50b9a89cbf5f9ec9cc056d588e98e7794127c93583cdb2e9e2bbe84d7b8cca565345d4efff6d0f9656639017eeae209edc0bb91cf

  • SSDEEP

    3072:sCd9IOoMDU5JdYfpZbo79D6iiX/GPliiVHzdwgLo/tJFHBjag2ZnWcE2UVZCr:nccg/UO9D6iGifwgLYR2kgUar

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    cms

Targets

    • Target

      1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9.exe

    • Size

      235KB

    • MD5

      0551dcf55adc23a07d56580729730d50

    • SHA1

      5d09095bde071815b26624712352a9b0cc579d16

    • SHA256

      1cc823962da2fa7a4d6fee8335ce8d92c6b44be627803cba85a1bdb8184da1d9

    • SHA512

      6368b2ffceffc2415c1d21f5cc2107c1374b0a045ebd7181c7e1557904d44cc33b0f55380f83cf9d1693ef5d24bd1d292aa7348a72a8cefe7df7d72b0dc27b81

    • SSDEEP

      6144:v5N2IzPXRuvbd0hT0rh+PGdhhG1soMRxPqs9sm6I:72IzPXYZ0+l+OPcVixPqs9smP

    Score
    10/10
    xenoratrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks