xenorat | 2c85025f7dfc82cfc31b57213ee4f3c54e66e9806801ce11d070ab64f269778f | Triage

Sharing

General

Target

a2944e9f2cc19557586d8b3971418c10N.exe
Size

444KB
Sample

240715-hrqbtswhne
MD5

a2944e9f2cc19557586d8b3971418c10
SHA1

15184f8309927af19079c2cd91afd2df2188d750
SHA256

2c85025f7dfc82cfc31b57213ee4f3c54e66e9806801ce11d070ab64f269778f
SHA512

393e9e74344ca43485bef6d9562c7a641549bafc3a48f646d4e9c0e85f7ed03808f1469a376d919b79e7722ebd6322db0de99732e4486dab0906a7232b5f2b79
SSDEEP

12288:vEjB1lxxsFutgrCAPAMJPEcXKHffwWdbNnOL:KB1lxaFut6

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Dolid_rat_nd8859g

Attributes

delay
60000
install_path
appdata
port
1293
startup_name
kvr

Targets

- Target
  
  a2944e9f2cc19557586d8b3971418c10N.exe
- Size
  
  444KB
- MD5
  
  a2944e9f2cc19557586d8b3971418c10
- SHA1
  
  15184f8309927af19079c2cd91afd2df2188d750
- SHA256
  
  2c85025f7dfc82cfc31b57213ee4f3c54e66e9806801ce11d070ab64f269778f
- SHA512
  
  393e9e74344ca43485bef6d9562c7a641549bafc3a48f646d4e9c0e85f7ed03808f1469a376d919b79e7722ebd6322db0de99732e4486dab0906a7232b5f2b79
- SSDEEP
  
  12288:vEjB1lxxsFutgrCAPAMJPEcXKHffwWdbNnOL:KB1lxaFut6
Score

10^/10

xenorat rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratrattrojan

behavioral2

xenoratrattrojan