Analysis
-
max time kernel
133s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
13-07-2024 22:54
General
-
Target
TransAgenda.exe
-
Size
127KB
-
MD5
8dbebef8a47ea96ceed4408641e195ce
-
SHA1
b13a236bdf60de5fac38ab11344392eadb7462a9
-
SHA256
2bee910afaec59b55af87e2056a52cc43d879a2582dc5d148bcf696ddbd0516d
-
SHA512
9159cf5a19963d73d947cf17db303eb84353a0237b03bb61fc553b6945f3c670da79cc5185211a793effa191ef438f0ce3f1b894dde3983cc068adce0757540d
-
SSDEEP
3072:9w+jqT91UbTkTxswif42DRk1u1F33bIWQD4agDUbjwAGy7:qW291UbuqfhdkY1F3rTQD4agwfwby
Malware Config
Extracted
xenorat
174.60.140.164
Xeno_rat_nd8912f
-
delay
5000
-
install_path
appdata
-
port
7707
-
startup_name
TransAgenda
Signatures
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\TransAgenda.exe"C:\Users\Admin\AppData\Local\Temp\TransAgenda.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\TransAgenda.exe"C:\Users\Admin\AppData\Roaming\XenoManager\TransAgenda.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "TransAgenda" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA21C.tmp" /F3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1KB
MD5a9c1f7e3003f94a8c0313a0dc0724247
SHA1c175bfbdeed865347102f9f709808ab69ef558f5
SHA2568847403fa9782db190ff467a63a6d84af09ad173a4fed107a9b11aee0cf26e26
SHA512fc86570456b8d7f1f01c5f8580ace3c627e7368640c704471787831bd58829ce99ee7f0a6cfea601f9038602e4988f769a16e4016790af76431d6ccb54983b37
-
Filesize
127KB
MD58dbebef8a47ea96ceed4408641e195ce
SHA1b13a236bdf60de5fac38ab11344392eadb7462a9
SHA2562bee910afaec59b55af87e2056a52cc43d879a2582dc5d148bcf696ddbd0516d
SHA5129159cf5a19963d73d947cf17db303eb84353a0237b03bb61fc553b6945f3c670da79cc5185211a793effa191ef438f0ce3f1b894dde3983cc068adce0757540d
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
152KB