xenorat | 27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732

General

Target

SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe
Size

733KB
MD5

3920c23bc5bf04211bf972aca575e55b
SHA1

93537135ee51857248063359e2ba73c3c66bf98f
SHA256

27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732
SHA512

7c93bee505f7ea9f831533d707329b85089c953263b7916806822d8b6d22593691ee47d6254b9ecaf5c96abe1f2938bbb9fef4bd95124d5e906e677490546972
SSDEEP

12288:PWuMuanZhZGbaWuMuanZhZGb3LAPlJ8/6vrQUACkQvBKS/L8pi9mQ47:yueZG3ueZGeS6LYQ

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

77.221.152.198

Mutex

Xeno_rat_nd89dsedwqdswdqwdwqdqwdqwdwqdwqdqwdqwdwqdwqd12d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
nothingset

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 1 IoCs

pid	Process
3124	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 1792	4848	SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 1440	4848	SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe	86
PID 4848 wrote to memory of 1440	4848	SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe	86
PID 4848 wrote to memory of 1440	4848	SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe	86
PID 1440 wrote to memory of 1232	1440	csc.exe	88
PID 1440 wrote to memory of 1232	1440	csc.exe	88
PID 1440 wrote to memory of 1232	1440	csc.exe	88
PID 4848 wrote to memory of 1792	4848	SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe	89
PID 4848 wrote to memory of 1792	4848	SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe	89
PID 4848 wrote to memory of 1792	4848	SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe	89
PID 4848 wrote to memory of 1792	4848	SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe	89
PID 4848 wrote to memory of 1792	4848	SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe	89
PID 4848 wrote to memory of 1792	4848	SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe	89
PID 4848 wrote to memory of 1792	4848	SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe	89
PID 4848 wrote to memory of 1792	4848	SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe	89
PID 1792 wrote to memory of 3124	1792	RegAsm.exe	90
PID 1792 wrote to memory of 3124	1792	RegAsm.exe	90
PID 1792 wrote to memory of 3124	1792	RegAsm.exe	90

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject5.5521.21793.4561.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uxdlcn0t\uxdlcn0t.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAC4.tmp" "c:\Users\Admin\AppData\Local\Temp\uxdlcn0t\CSCB7BD36BBDD204711904736E7281B772D.TMP"
    3⤵
    PID:1232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Roaming\XenoManager\RegAsm.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\RegAsm.exe"
    3⤵
    - Executes dropped EXE
    PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBAC4.tmp

Filesize
1KB

MD5
09333cbc4b2e46415e8d2c2a9489b75c

SHA1
7961b5e7e3817c885dad20f32ab33f8c57fa07a9

SHA256
ba0ce10caf368298e438a1dde8f89ef616e2a0dee09841412d9feac8431e4ee9

SHA512
7478e5abf2b5b99ae8bd107d7599206f3a8536189ef86f524b15b7e52a4d689b9c3aa182403d0df5b06ce4cb08ee4139e8c335349cbe5efbafef2b34489e99e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxdlcn0t\uxdlcn0t.dll

Filesize
4KB

MD5
334d234cdda863ac7f12c423ebfca050

SHA1
425f77025dba9357c5cf84dded9379887edf70e6

SHA256
c8a167b9eb1f727ccfafc3baa9b936df2d8ae43e825dd4ac4ea4eb43c14099c1

SHA512
c57f2f5e21e1a354352fb3ec63f5c4bf3e5e711b8cdd5bb7ccfd3b234db350e547f32daaa87c0b46932f0ed651c9b3597b5acd27f027e39151d67a5e1864da96

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uxdlcn0t\CSCB7BD36BBDD204711904736E7281B772D.TMP

Filesize
652B

MD5
75dd29707774b76a94269fd524979f8d

SHA1
a99c3e3ccc8b5634d96a8b0432b076e119e88278

SHA256
be2e0b667c8d4249b118b535ea5876e29b09a150954a1528b5646683ef9a8ba1

SHA512
ea516bb6abf7248f31d09273c96cc0ca86d97716cab640db79f373de373363584f95bde372332f0d92a2b7ae629d3792fd999129e59203af282131ffd4fb420f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uxdlcn0t\uxdlcn0t.0.cs

Filesize
1KB

MD5
c32c2c327b1cbd6bc40811906085e443

SHA1
3dd38840e4943f8c8d2e3322c7fe07471ca6efad

SHA256
aae5d17321d66991f73705f6c75048ee4d63b0505a428e59789991ca35865de6

SHA512
36686fbfba241be09de60f7c8eb78aefb94f96831a212e6f2ed5e5b73ea9599b8a55a3097436ea486c063507c49e453e523df4a16305ca28d05a53a4fe7f4c70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uxdlcn0t\uxdlcn0t.cmdline

Filesize
204B

MD5
20b30ccb41710678832104e199d226a6

SHA1
c47f85bfeb3f6edb26b635d4f025fb5549ce0f09

SHA256
13f01d9fde9c1ef4149fc89033fcf93993de4f8ed561fb4f774b3e2ef249d9aa

SHA512
eda4b866ea50c89353db8621427ac82ea257f35c997b1f64bd55d8045fc7a5633bfee5dc9c96c2955ce7c1ca26d8e86334969dbcff44c06a544278ce097d4e1a

Download Submit
memory/1792-22-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/1792-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1792-33-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3124-36-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/4848-15-0x00000000031E0000-0x00000000031E8000-memory.dmp

Filesize
32KB

Download
memory/4848-17-0x00000000057C0000-0x00000000057E8000-memory.dmp

Filesize
160KB

Download
memory/4848-20-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4848-0-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/4848-6-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/4848-1-0x0000000000E20000-0x0000000000EDC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing