General

  • Target

    477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c

  • Size

    240KB

  • Sample

    240704-nstnjaydlg

  • MD5

    b41d067615ca60ffe4253297866d79be

  • SHA1

    1aab2b69eb9f918d1e0a23a82a98411709ee2fdb

  • SHA256

    477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c

  • SHA512

    7c5b98c2e3fbdafc0949ca9d32b9c41be044f3b99052e1119472d1999442114ed60d5949929e7b14aa028c77c7adc638ee0507362ab848af7cb4612c9313e29e

  • SSDEEP

    6144:oGB7vPW1gnEHLltCX754KLHrdoBiEd0nJ1iaJC4E2Hjyq3RVlA44I:oOOCnEHXY7ZzreHin7iaJC4E2Hjyq3Rj

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Dolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    dms

Targets

    • Target

      477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c

    • Size

      240KB

    • MD5

      b41d067615ca60ffe4253297866d79be

    • SHA1

      1aab2b69eb9f918d1e0a23a82a98411709ee2fdb

    • SHA256

      477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c

    • SHA512

      7c5b98c2e3fbdafc0949ca9d32b9c41be044f3b99052e1119472d1999442114ed60d5949929e7b14aa028c77c7adc638ee0507362ab848af7cb4612c9313e29e

    • SSDEEP

      6144:oGB7vPW1gnEHLltCX754KLHrdoBiEd0nJ1iaJC4E2Hjyq3RVlA44I:oOOCnEHXY7ZzreHin7iaJC4E2Hjyq3Rj

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks