xenorat | 2862c2fdbd071dd3308fb352a626da5e5f010c9b5ee9b3b1f6671e78c556dd55 | Triage

Sharing

General

Target

QuasarInstaller.exe
Size

491KB
Sample

240704-vtxj5sscnd
MD5

8def0ef788602675c4d6fc2a72f93944
SHA1

b153631a58aa2b88120412f84493fb3250673e4c
SHA256

2862c2fdbd071dd3308fb352a626da5e5f010c9b5ee9b3b1f6671e78c556dd55
SHA512

e10bbc8b382accb4e946e1058c3bf17305a8df53d3d034dace25b7506d2fb7d56b47b5ed6552c3fc0a32d492f9eccf92d95664591091f7d0c30aac882a3ea45b
SSDEEP

12288:5CQjgAtAHM+vetZxF5EWry8AJGy0vC8JLY8V1/3sRRAw:55ZWs+OZVEWry8AF18JLYgUR1

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
Quasar

Targets

- Target
  
  QuasarInstaller.exe
- Size
  
  491KB
- MD5
  
  8def0ef788602675c4d6fc2a72f93944
- SHA1
  
  b153631a58aa2b88120412f84493fb3250673e4c
- SHA256
  
  2862c2fdbd071dd3308fb352a626da5e5f010c9b5ee9b3b1f6671e78c556dd55
- SHA512
  
  e10bbc8b382accb4e946e1058c3bf17305a8df53d3d034dace25b7506d2fb7d56b47b5ed6552c3fc0a32d492f9eccf92d95664591091f7d0c30aac882a3ea45b
- SSDEEP
  
  12288:5CQjgAtAHM+vetZxF5EWry8AJGy0vC8JLY8V1/3sRRAw:55ZWs+OZVEWry8AF18JLYgUR1
Score

10^/10

xenorat rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratrattrojan

behavioral2

xenoratrattrojan