xenorat | 0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3 | Triage

Sharing

General

Target

CalendariodePago.exe
Size

612KB
Sample

240704-vmk8jazdqr
MD5

5cb029f745b0691ec119a958319c31ef
SHA1

e7079a4aa2715132d6ea4ac4e7997effea00e979
SHA256

0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3
SHA512

61bbb3929c8d233bc3ebb265094ff515ad509a18903edbad887f1d9ad23982ace2adc619f9bde098565a20674ce29973ac2bc83558a3f6f5b02548df09e68094
SSDEEP

12288:ycrNS33L10QdrXpxen47qBmk1cNi3qYjY7fopC4xky2tuqFUmt:ZNA3R5drXPe47qBmk1+i39jWfopCObqJ

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

salutoepiesircam.sytes.net

Mutex

Xeno_rat_nd8911d

Attributes

delay
5000
install_path
appdata
port
4450
startup_name
setting

Targets

- Target
  
  CalendariodePago.exe
- Size
  
  612KB
- MD5
  
  5cb029f745b0691ec119a958319c31ef
- SHA1
  
  e7079a4aa2715132d6ea4ac4e7997effea00e979
- SHA256
  
  0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3
- SHA512
  
  61bbb3929c8d233bc3ebb265094ff515ad509a18903edbad887f1d9ad23982ace2adc619f9bde098565a20674ce29973ac2bc83558a3f6f5b02548df09e68094
- SSDEEP
  
  12288:ycrNS33L10QdrXpxen47qBmk1cNi3qYjY7fopC4xky2tuqFUmt:ZNA3R5drXPe47qBmk1+i39jWfopCObqJ
Score

10^/10

xenorat rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratrattrojan

behavioral2

xenoratrattrojan