xenorat | 249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99

Analysis

max time kernel
124s
max time network
133s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
Size

240KB
MD5

cc5b6e9deec470d26e074859ca794aca
SHA1

0cf0d409f644c3712299b0c91ea249537d51ff45
SHA256

249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99
SHA512

bd97b5d8ef82d68dc1d0a2162375a6515b927be95e99dd6a4a725172da885eff4e162d80ad4bbac30b579d6e9fa3d6d73f452716239d61b7c01803afa653959d
SSDEEP

6144:suCZay34VffBhW5JDo4mLDiBRnB7/Z8rnA++gQj79toI:JCF0f/O+4m6vkrnA++gQj79T

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

91.92.248.167

Mutex

Dolid_rat_nd8859g

Attributes

delay
60000
install_path
appdata
port
1280
startup_name
dms

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 4 IoCs

pid	Process
2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
3056	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
2316	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
2044	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe

Loads dropped DLL 4 IoCs

pid	Process
2440	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1856 set thread context of 2804	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	31
PID 1856 set thread context of 2440	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	32
PID 1856 set thread context of 2664	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	33
PID 2532 set thread context of 3056	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	35
PID 2532 set thread context of 2316	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	36
PID 2532 set thread context of 2044	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1224	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
Token: SeDebugPrivilege	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2804	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	31
PID 1856 wrote to memory of 2804	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	31
PID 1856 wrote to memory of 2804	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	31
PID 1856 wrote to memory of 2804	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	31
PID 1856 wrote to memory of 2804	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	31
PID 1856 wrote to memory of 2804	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	31
PID 1856 wrote to memory of 2804	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	31
PID 1856 wrote to memory of 2804	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	31
PID 1856 wrote to memory of 2804	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	31
PID 1856 wrote to memory of 2440	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	32
PID 1856 wrote to memory of 2440	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	32
PID 1856 wrote to memory of 2440	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	32
PID 1856 wrote to memory of 2440	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	32
PID 1856 wrote to memory of 2440	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	32
PID 1856 wrote to memory of 2440	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	32
PID 1856 wrote to memory of 2440	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	32
PID 1856 wrote to memory of 2440	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	32
PID 1856 wrote to memory of 2440	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	32
PID 1856 wrote to memory of 2664	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	33
PID 1856 wrote to memory of 2664	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	33
PID 1856 wrote to memory of 2664	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	33
PID 1856 wrote to memory of 2664	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	33
PID 1856 wrote to memory of 2664	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	33
PID 1856 wrote to memory of 2664	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	33
PID 1856 wrote to memory of 2664	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	33
PID 1856 wrote to memory of 2664	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	33
PID 1856 wrote to memory of 2664	1856	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	33
PID 2440 wrote to memory of 2532	2440	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	34
PID 2440 wrote to memory of 2532	2440	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	34
PID 2440 wrote to memory of 2532	2440	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	34
PID 2440 wrote to memory of 2532	2440	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	34
PID 2532 wrote to memory of 3056	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	35
PID 2532 wrote to memory of 3056	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	35
PID 2532 wrote to memory of 3056	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	35
PID 2532 wrote to memory of 3056	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	35
PID 2532 wrote to memory of 3056	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	35
PID 2532 wrote to memory of 3056	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	35
PID 2532 wrote to memory of 3056	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	35
PID 2532 wrote to memory of 3056	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	35
PID 2532 wrote to memory of 3056	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	35
PID 2532 wrote to memory of 2316	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	36
PID 2532 wrote to memory of 2316	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	36
PID 2532 wrote to memory of 2316	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	36
PID 2532 wrote to memory of 2316	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	36
PID 2532 wrote to memory of 2316	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	36
PID 2532 wrote to memory of 2316	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	36
PID 2532 wrote to memory of 2316	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	36
PID 2532 wrote to memory of 2316	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	36
PID 2532 wrote to memory of 2316	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	36
PID 2532 wrote to memory of 2044	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	37
PID 2532 wrote to memory of 2044	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	37
PID 2532 wrote to memory of 2044	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	37
PID 2532 wrote to memory of 2044	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	37
PID 2532 wrote to memory of 2044	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	37
PID 2532 wrote to memory of 2044	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	37
PID 2532 wrote to memory of 2044	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	37
PID 2532 wrote to memory of 2044	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	37
PID 2532 wrote to memory of 2044	2532	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	37
PID 2664 wrote to memory of 1224	2664	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	38
PID 2664 wrote to memory of 1224	2664	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	38
PID 2664 wrote to memory of 1224	2664	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	38
PID 2664 wrote to memory of 1224	2664	249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe	38

C:\Users\Admin\AppData\Local\Temp\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
"C:\Users\Admin\AppData\Local\Temp\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
  C:\Users\Admin\AppData\Local\Temp\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
  2⤵
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
  C:\Users\Admin\AppData\Local\Temp\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Roaming\XenoManager\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Roaming\XenoManager\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
      4⤵
      Executes dropped EXE
      PID:3056
  - - C:\Users\Admin\AppData\Roaming\XenoManager\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
      4⤵
      Executes dropped EXE
      PID:2316
  - - C:\Users\Admin\AppData\Roaming\XenoManager\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
      4⤵
      Executes dropped EXE
      PID:2044
- C:\Users\Admin\AppData\Local\Temp\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
  C:\Users\Admin\AppData\Local\Temp\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "dms" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7F8.tmp" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD7F8.tmp

Filesize
1KB

MD5
a9d3f8abd4e6fd7af3ac8c53b6e1f0f7

SHA1
5eb5022233698b1d053aadd59435a44fa941b86d

SHA256
b9d9e57c2368029684360189348709bccc5b91266ba94da7999cafb2b196321a

SHA512
c93d2bb653820c44fb7db8b8da2cae6de9acdf8065cdc8df1cb85a03ac4f2b1a8df44dca777b6c452a63335931dde4231ee44efb2584a27dbbf02c81e1450edf

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99.exe

Filesize
240KB

MD5
cc5b6e9deec470d26e074859ca794aca

SHA1
0cf0d409f644c3712299b0c91ea249537d51ff45

SHA256
249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99

SHA512
bd97b5d8ef82d68dc1d0a2162375a6515b927be95e99dd6a4a725172da885eff4e162d80ad4bbac30b579d6e9fa3d6d73f452716239d61b7c01803afa653959d

Download Submit
memory/1856-26-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-0-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/1856-4-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-5-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1856-3-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/1856-1-0x0000000000C00000-0x0000000000C40000-memory.dmp

Filesize
256KB

Download
memory/1856-2-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/2440-32-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-25-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-33-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/2804-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2804-23-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2804-49-0x0000000074080000-0x000000007476E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads