General

  • Target

    CalendariodePago.exe

  • Size

    612KB

  • Sample

    240704-vmk8jazdqr

  • MD5

    5cb029f745b0691ec119a958319c31ef

  • SHA1

    e7079a4aa2715132d6ea4ac4e7997effea00e979

  • SHA256

    0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3

  • SHA512

    61bbb3929c8d233bc3ebb265094ff515ad509a18903edbad887f1d9ad23982ace2adc619f9bde098565a20674ce29973ac2bc83558a3f6f5b02548df09e68094

  • SSDEEP

    12288:ycrNS33L10QdrXpxen47qBmk1cNi3qYjY7fopC4xky2tuqFUmt:ZNA3R5drXPe47qBmk1+i39jWfopCObqJ

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

salutoepiesircam.sytes.net

Mutex

Xeno_rat_nd8911d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4450

  • startup_name

    setting

Targets

    • Target

      CalendariodePago.exe

    • Size

      612KB

    • MD5

      5cb029f745b0691ec119a958319c31ef

    • SHA1

      e7079a4aa2715132d6ea4ac4e7997effea00e979

    • SHA256

      0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3

    • SHA512

      61bbb3929c8d233bc3ebb265094ff515ad509a18903edbad887f1d9ad23982ace2adc619f9bde098565a20674ce29973ac2bc83558a3f6f5b02548df09e68094

    • SSDEEP

      12288:ycrNS33L10QdrXpxen47qBmk1cNi3qYjY7fopC4xky2tuqFUmt:ZNA3R5drXPe47qBmk1+i39jWfopCObqJ

    Score
    10/10
    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks