Overview

overview

10

Static

static

3

730e7cf897...99.exe

windows7-x64

10

730e7cf897...99.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9ecc46cd8417073a40224da5bdeacff7.bin

  • Size

    194KB

  • Sample

    240707-d9a8eavfpa

  • MD5

    39ac8830d48274cbd87380da47945f1f

  • SHA1

    8bd67f2d5bfff40f8f7502f18123ebd8f8f168d5

  • SHA256

    aaf602a30ead7c1051e896420f6f14463e858607347cc3ca3f07e6ada7e962fd

  • SHA512

    1345a00691b84ad23fcced82e5f591a0a912a3f48a3fdc9f9d613c7398b749d053108134e404c0fde72ea3f88259003a2e3a5e372b48a2b05bceb60528a2c8f6

  • SSDEEP

    6144:ZuAzGZ+yQ0+LaB1N1PjpE+DbPl9dgfjLfbxQyo:0qg+lLIa+fPlofPfvo

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Wolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    cms

Targets

    • Target

      730e7cf897c39641a53c1e8d4ae6cec4c57a79fcab3f4fb6c031ec5a7586cf99.exe

    • Size

      235KB

    • MD5

      9ecc46cd8417073a40224da5bdeacff7

    • SHA1

      8fdf93d9991c10b2421e33970587196aa1784aca

    • SHA256

      730e7cf897c39641a53c1e8d4ae6cec4c57a79fcab3f4fb6c031ec5a7586cf99

    • SHA512

      6fed95d4935c8d8e3222985a5b01f7ba7c58f24241d4c399bdf57391f1118fb86db513050e89a9a841868eb3f1a47680912feb353ce92320c5a03740409e61da

    • SSDEEP

      6144:dmgYGWWtKRwg7+z0lQ77kc3PRDJPbsjIXKb5jgI:d1YIIb+pPRNojII5j9

    Score
    10/10
    xenoratrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks