xenorat | 1873a35b76ee68cd850440501e1ec3f572d126f6174fdd61813f3e5821c9a266

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:10

Target

EnsureRunning.exe
Size

119KB
MD5

b6aa8ac6138abcc3bff5dd4176a45a3f
SHA1

a65e8fc2c31e6846347028be7d76d7e1183db189
SHA256

1873a35b76ee68cd850440501e1ec3f572d126f6174fdd61813f3e5821c9a266
SHA512

be4a5687430e5eda3cc83f6a8743257195c73e7151deb33743d34bce11c74d15e1ae45b0f3150b1ca771f698ab3168174e812da343c14af4d94fb82527c12250
SSDEEP

1536:BZdBIw+jjgnJ2H9XqcnW85SbThuIkKuZ+8uZ3nV5XS65mkrPZ58kzQ+e+e+gi:TdGw+jqJ491UbTh3h7J7M+e+e+gi

Score

10^/10

xenorat rat trojan

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1756 2176 WerFault.exe EnsureRunning.exe

pid	pid_target	process	target process
1756	2176	WerFault.exe	EnsureRunning.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

EnsureRunning.exe

description	pid	process	target process
PID 2176 wrote to memory of 1756	2176	EnsureRunning.exe	WerFault.exe
PID 2176 wrote to memory of 1756	2176	EnsureRunning.exe	WerFault.exe
PID 2176 wrote to memory of 1756	2176	EnsureRunning.exe	WerFault.exe
PID 2176 wrote to memory of 1756	2176	EnsureRunning.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\EnsureRunning.exe
"C:\Users\Admin\AppData\Local\Temp\EnsureRunning.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 560
2⤵
- Program crash
PID:1756

memory/2176-0-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x0000000000250000-0x0000000000274000-memory.dmp

Filesize
144KB

Download
memory/2176-2-0x000000007442E000-0x000000007442F000-memory.dmp

Filesize
4KB

Download