xenorat | 5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe
Size

45KB
MD5

e3d41f5c084aa851347971f18b9bb493
SHA1

4a840d0be1805bcb519952d7c8a692a635f57b2e
SHA256

5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363
SHA512

49d66e4d0bd03385ff4c66f0c1a853b254e69fea592a9c7f603f09edf16261062850c9be4865b5b7a84dd7dd10452e9ff524c4bc52037cfce4cab004fd556a5a
SSDEEP

768:adhO/poiiUcjlJInolH9Xqk5nWEZ5SbTDa/WI7CPW5G:8w+jjgnYH9XqcnW85SbT2WIe

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

0x04

Attributes

delay
1000
install_path
temp
port
404
startup_name
WinBootManager

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 1 IoCs

pid	Process
2784	5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe

Loads dropped DLL 1 IoCs

pid	Process
2644	5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2796	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2784	2644	5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe	30
PID 2644 wrote to memory of 2784	2644	5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe	30
PID 2644 wrote to memory of 2784	2644	5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe	30
PID 2644 wrote to memory of 2784	2644	5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe	30
PID 2784 wrote to memory of 2796	2784	5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe	31
PID 2784 wrote to memory of 2796	2784	5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe	31
PID 2784 wrote to memory of 2796	2784	5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe	31
PID 2784 wrote to memory of 2796	2784	5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe	31

C:\Users\Admin\AppData\Local\Temp\5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe
"C:\Users\Admin\AppData\Local\Temp\5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\XenoManager\5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "WinBootManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C57.tmp" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1C57.tmp

Filesize
1KB

MD5
2bde4e9457d80ccc29d7f4cce697c9f2

SHA1
60f0d0e6b4242b3796239108c825217ee7961c74

SHA256
45a2eb909925f80955a155d07d9cc16f550b3fbcb0ebcb487d31c485189e4d6e

SHA512
f7f0fe1844996e92dfa4d7f7a6a41ae7de7476074742524475496f83914fbdc0fa95e0018a18d3ae6549230043ec5e3ea5c4250d6f13c7ca344b5eaef5a4c668

Download Submit
\Users\Admin\AppData\Local\Temp\XenoManager\5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363.exe

Filesize
45KB

MD5
e3d41f5c084aa851347971f18b9bb493

SHA1
4a840d0be1805bcb519952d7c8a692a635f57b2e

SHA256
5bf990aad6834600b8a95d150ea0775d7c826418e8f93f68e948feabd256c363

SHA512
49d66e4d0bd03385ff4c66f0c1a853b254e69fea592a9c7f603f09edf16261062850c9be4865b5b7a84dd7dd10452e9ff524c4bc52037cfce4cab004fd556a5a

Download Submit
memory/2644-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/2644-1-0x0000000000110000-0x0000000000122000-memory.dmp

Filesize
72KB

Download
memory/2784-9-0x0000000000850000-0x0000000000862000-memory.dmp

Filesize
72KB

Download
memory/2784-10-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2784-13-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2784-14-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download
memory/2784-15-0x0000000074AD0000-0x00000000751BE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads