General

  • Target

    697098bd0a7aed4fa228af96addb4e6635c6ff69c80f729f3f0e82db62fc95ab.exe

  • Size

    236KB

  • Sample

    240704-vft7vszbmp

  • MD5

    5f86d94893b47e542cf857749dfcd185

  • SHA1

    7816d9af40a9e9265708df00af8137db67d8c7aa

  • SHA256

    697098bd0a7aed4fa228af96addb4e6635c6ff69c80f729f3f0e82db62fc95ab

  • SHA512

    8cf9bb6ba985843d57f2a013e40d3243b89e5aa0af07d504e9bcc7a2b577028a9cf24258bab14e256b7cb11f75a9a5993eff920879ab11f24c926bce85fb4c7d

  • SSDEEP

    6144:wA0gX+3bpKthw8rZg+mr08M0O5wkoYfMJRNeUqNI:wA0gXgpKNknMX57ocMJRNeUq2

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    cms

Targets

    • Target

      697098bd0a7aed4fa228af96addb4e6635c6ff69c80f729f3f0e82db62fc95ab.exe

    • Size

      236KB

    • MD5

      5f86d94893b47e542cf857749dfcd185

    • SHA1

      7816d9af40a9e9265708df00af8137db67d8c7aa

    • SHA256

      697098bd0a7aed4fa228af96addb4e6635c6ff69c80f729f3f0e82db62fc95ab

    • SHA512

      8cf9bb6ba985843d57f2a013e40d3243b89e5aa0af07d504e9bcc7a2b577028a9cf24258bab14e256b7cb11f75a9a5993eff920879ab11f24c926bce85fb4c7d

    • SSDEEP

      6144:wA0gX+3bpKthw8rZg+mr08M0O5wkoYfMJRNeUqNI:wA0gXgpKNknMX57ocMJRNeUq2

    Score
    10/10
    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks