xenorat | 3c4152c18560ee4704df2a72292e9def0725eae8c82d734273af4f617530cab2 | Triage

Submit
Reports

Overview

overview

Static

static

System.exe

windows10-1703-x64

System.exe

windows10-2004-x64

System.exe

windows11-21h2-x64

Sharing

General

Target

System.exe
Size

51KB
Sample

240705-3dyfha1eqd
MD5

19e0f465360d00dab6b22b745cef74ff
SHA1

08ec91406909a9754d83ed90671d36073789cfc6
SHA256

3c4152c18560ee4704df2a72292e9def0725eae8c82d734273af4f617530cab2
SHA512

063f04abf0612c31be0a71343e1b689e5211c4172fa000edbdddc0bcaccb03fb3e240409a5efb35c4b329661b27f25ef236978a110bffd1cc96c6584b035aee5
SSDEEP

768:vivdjHrddilbVauou79EommqkPBBQaHedSkGu2yPo+LGZYebFDaiH6RNSgNO14:opHmVauo30fqlnj6CSYebFfaf4+

Score

10^/10

xenorat persistence rat spyware stealer trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

System.exe

Resource

win10-20240611-en

xenorat rat trojan

windows10-1703-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

System.exe

Resource

win10v2004-20240704-en

xenorat rat trojan

windows10-2004-x64

8 signatures

150 seconds

Behavioral task

behavioral3

Sample

System.exe

Resource

win11-20240704-en

xenorat persistence rat spyware stealer trojan

windows11-21h2-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

xenorat

C2

147.185.221.20

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
49485
startup_name
System

Targets

- Target
  
  System.exe
- Size
  
  51KB
- MD5
  
  19e0f465360d00dab6b22b745cef74ff
- SHA1
  
  08ec91406909a9754d83ed90671d36073789cfc6
- SHA256
  
  3c4152c18560ee4704df2a72292e9def0725eae8c82d734273af4f617530cab2
- SHA512
  
  063f04abf0612c31be0a71343e1b689e5211c4172fa000edbdddc0bcaccb03fb3e240409a5efb35c4b329661b27f25ef236978a110bffd1cc96c6584b035aee5
- SSDEEP
  
  768:vivdjHrddilbVauou79EommqkPBBQaHedSkGu2yPo+LGZYebFDaiH6RNSgNO14:opHmVauo30fqlnj6CSYebFfaf4+
Score

10^/10

xenorat rat trojan persistence spyware stealer
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Active Setup

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratrattrojan

behavioral2

xenoratrattrojan

behavioral3

xenoratpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy