General

  • Target

    568383287c850ef98c2fde1c642870f2.bin

  • Size

    581KB

  • Sample

    240704-vbtqjazajr

  • MD5

    678994954489928adc6a944d3f1e6c2d

  • SHA1

    f483bb04073f9a18221e1210f61f79116ac865ab

  • SHA256

    2ee6cf040995d16cd63d95e2bb9216cfa96960d2866e533ec5152bda51b8c860

  • SHA512

    30645b5227049505add0c190b576a26aa78f1140edd11a79903e3d2232b7713035134cd6b649ccd175f9eddaa83638edfeea2f4a34ec0abd09a008e6bf5417da

  • SSDEEP

    12288:qhkVgfvifaXphKtS2Ds1fFhiKlLbmBOIcZDyhzOEjLo:q+Vgfv/XpcZDsVjiKlLbmgI8Dq66o

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8889g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1279

  • startup_name

    qns

Targets

    • Target

      c99818a50f8c02af5204158301bf8552993c03ade20f2016b5997d440d2297c5.xll

    • Size

      819KB

    • MD5

      568383287c850ef98c2fde1c642870f2

    • SHA1

      f8487d82118c0439545fddde534bdde0250885ee

    • SHA256

      c99818a50f8c02af5204158301bf8552993c03ade20f2016b5997d440d2297c5

    • SHA512

      11e5d1b7eb2113a5d283e01ea715479f84fb401a2f0940639368cf4453f0a478c8af905aae8fdb3b05c9a090f4838cbfb9b5f0ec509d533b8ffc36ad858df3a0

    • SSDEEP

      12288:1G1N4HkcgMsiOd58bzbBSreqQ0uqZzD1reWabd/84QKycycwU636x2Cd5J:1oOOMX16+QHT+dbQKZBxP5

    Score
    10/10
    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks