xenorat | 27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732

General

Target

27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
Size

733KB
MD5

3920c23bc5bf04211bf972aca575e55b
SHA1

93537135ee51857248063359e2ba73c3c66bf98f
SHA256

27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732
SHA512

7c93bee505f7ea9f831533d707329b85089c953263b7916806822d8b6d22593691ee47d6254b9ecaf5c96abe1f2938bbb9fef4bd95124d5e906e677490546972
SSDEEP

12288:PWuMuanZhZGbaWuMuanZhZGb3LAPlJ8/6vrQUACkQvBKS/L8pi9mQ47:yueZG3ueZGeS6LYQ

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

77.221.152.198

Mutex

Xeno_rat_nd89dsedwqdswdqwdwqdqwdqwdwqdwqdqwdqwdwqdwqd12d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
nothingset

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 1 IoCs

pid	Process
4056	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 3980	2908	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 1672	2908	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	87
PID 2908 wrote to memory of 1672	2908	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	87
PID 2908 wrote to memory of 1672	2908	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	87
PID 1672 wrote to memory of 724	1672	csc.exe	88
PID 1672 wrote to memory of 724	1672	csc.exe	88
PID 1672 wrote to memory of 724	1672	csc.exe	88
PID 2908 wrote to memory of 3980	2908	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	89
PID 2908 wrote to memory of 3980	2908	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	89
PID 2908 wrote to memory of 3980	2908	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	89
PID 2908 wrote to memory of 3980	2908	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	89
PID 2908 wrote to memory of 3980	2908	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	89
PID 2908 wrote to memory of 3980	2908	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	89
PID 2908 wrote to memory of 3980	2908	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	89
PID 2908 wrote to memory of 3980	2908	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe	89
PID 3980 wrote to memory of 4056	3980	RegAsm.exe	90
PID 3980 wrote to memory of 4056	3980	RegAsm.exe	90
PID 3980 wrote to memory of 4056	3980	RegAsm.exe	90

C:\Users\Admin\AppData\Local\Temp\27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe
"C:\Users\Admin\AppData\Local\Temp\27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\grf0eb23\grf0eb23.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABA1.tmp" "c:\Users\Admin\AppData\Local\Temp\grf0eb23\CSC11B89F68ECB04A7FB582DC2C707458E4.TMP"
    3⤵
    PID:724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Users\Admin\AppData\Roaming\XenoManager\RegAsm.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\RegAsm.exe"
    3⤵
    - Executes dropped EXE
    PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESABA1.tmp

Filesize
1KB

MD5
1cffc5ca235bb8809d3ad403e006cb7f

SHA1
027d990c70617e83f4db58f1b7cc2d150691fea4

SHA256
2c73c48b6a2dddfdf843f91e1c08fc962d5105a112ffd9009a29603fb33c82da

SHA512
22b917fbbcacbcbedd3803653b5d32ff30e8575b94c9073b7dfd7aa5deabbd3d2e9e83e897c7e72761733b7be5c7b556112ff4147ea7eafda9cb32dd7e851b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\grf0eb23\grf0eb23.dll

Filesize
4KB

MD5
e04a6df452977fc4e927bf0c816111ae

SHA1
d83a66871f6b730e4000f776337e8c035fd0ca8f

SHA256
74b7f27835d3513c3056c80632ca1e075e5f904cea3a10b9ca9b23a5c08221b4

SHA512
b74f663af4ffd0c3388e0580d59d3225f4bd47620a69acc4807b92a61c7f8125c208416387ee58c173b1833bb302111d88114ee2a394ff944aeabc5ca8e8aee0

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\grf0eb23\CSC11B89F68ECB04A7FB582DC2C707458E4.TMP

Filesize
652B

MD5
475255a7e053db28832f2e0fe7f34715

SHA1
cb71066764afd1bc14b44b2cef4e416f5f31bcf6

SHA256
4eaf53871795032dfe4569a0faff0b72ae02256d11075a2fe1a6c3af90dc9d88

SHA512
7aea9bcde2a915739aa6a5dde1f3edb6479b0264b9868516c156af7c0c3d9dbb8dc7bd2afb0eb946df1d7d96f7f4e01ebbd8bfafa4e13d81e1ee8305a159df70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\grf0eb23\grf0eb23.0.cs

Filesize
1KB

MD5
c32c2c327b1cbd6bc40811906085e443

SHA1
3dd38840e4943f8c8d2e3322c7fe07471ca6efad

SHA256
aae5d17321d66991f73705f6c75048ee4d63b0505a428e59789991ca35865de6

SHA512
36686fbfba241be09de60f7c8eb78aefb94f96831a212e6f2ed5e5b73ea9599b8a55a3097436ea486c063507c49e453e523df4a16305ca28d05a53a4fe7f4c70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\grf0eb23\grf0eb23.cmdline

Filesize
204B

MD5
4995a16d4b446a501272a5313a1fd27a

SHA1
768be60b9e89322917ed51db5eb51bd58cf6db0e

SHA256
24a72de0d1476664ad67faff5518589af0bc3643f0422d6135aa00b71ba02224

SHA512
f8a1ebfef5288d9418f40c409eadbd09fd7e8168e2ab057f42317bba792b067da3f4676d5bf0f0650705192529f8ff3b930a8c747d711fd6ba7ae7fc98c6918c

Download Submit
memory/2908-15-0x00000000013F0000-0x00000000013F8000-memory.dmp

Filesize
32KB

Download
memory/2908-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

Filesize
4KB

Download
memory/2908-17-0x00000000051D0000-0x00000000051F8000-memory.dmp

Filesize
160KB

Download
memory/2908-20-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-6-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-1-0x00000000007D0000-0x000000000088C000-memory.dmp

Filesize
752KB

Download
memory/3980-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3980-22-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/3980-33-0x00000000751F0000-0x00000000759A0000-memory.dmp

Filesize
7.7MB

Download
memory/4056-36-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing