xenorat | 56c0fcdebcda39f9a98c7b4471aeee2e8e7389bf2e5874fa945fe3f61c4ac654 | Triage

Sharing

General

Target

GOINDIGO_PN#_Desc_&_Qty Details.vbs
Size

6.6MB
Sample

240710-slphfsxbra
MD5

6776a1e5031d3e57bff6359bc884c1f3
SHA1

bb9883c15f718846f1e23744f09044fc6185f25f
SHA256

56c0fcdebcda39f9a98c7b4471aeee2e8e7389bf2e5874fa945fe3f61c4ac654
SHA512

7b0c36ffa6ffdf300cfe50539f096cbc3a0181b8a1632012c88bea3270cf239757c45b4f26a3aaf723b9bce29fdb22194ddd6351b669d2257fe34523fe1c1f81
SSDEEP

1536:7ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssV:SI

Score

10^/10

xenorat execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

Extracted

Family

xenorat

C2

krecgh.4cloud.click

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
3398
startup_name
nothingset

Targets

- Target
  
  GOINDIGO_PN#_Desc_&_Qty Details.vbs
- Size
  
  6.6MB
- MD5
  
  6776a1e5031d3e57bff6359bc884c1f3
- SHA1
  
  bb9883c15f718846f1e23744f09044fc6185f25f
- SHA256
  
  56c0fcdebcda39f9a98c7b4471aeee2e8e7389bf2e5874fa945fe3f61c4ac654
- SHA512
  
  7b0c36ffa6ffdf300cfe50539f096cbc3a0181b8a1632012c88bea3270cf239757c45b4f26a3aaf723b9bce29fdb22194ddd6351b669d2257fe34523fe1c1f81
- SSDEEP
  
  1536:7ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssV:SI
Score

10^/10

execution xenorat persistence rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xenoratexecutionpersistencerattrojan