Overview

overview

10

Static

static

3

Betaling.exe

windows7-x64

10

Betaling.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Betaling.exe

  • Size

    707KB

  • Sample

    240716-nfzzsazdrl

  • MD5

    76e42ae7f8be751dc2802f8429acad56

  • SHA1

    60b373bcd072ff1f31cb32abcb9f26387cfacb9e

  • SHA256

    1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5

  • SHA512

    ba3d1850d8bbd052170c89783c57ed6130cdc02592f3c795a0d3de5efffeec6726f88eaf25b18716b4b44db908407fef1e84199586604ed2db51fb1d9528bea7

  • SSDEEP

    12288:WcrNS33L10QdrX2nVnRe87C67I1LX/OrJ3yfc5UsrJZTUfe5xZ:FNA3R5drXyVReq+7aCfNgJ5F7Z

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Bolid_rat_nd8859g

Attributes
  • delay

    60500

  • install_path

    appdata

  • port

    1294

  • startup_name

    bel

Targets

    • Target

      Betaling.exe

    • Size

      707KB

    • MD5

      76e42ae7f8be751dc2802f8429acad56

    • SHA1

      60b373bcd072ff1f31cb32abcb9f26387cfacb9e

    • SHA256

      1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5

    • SHA512

      ba3d1850d8bbd052170c89783c57ed6130cdc02592f3c795a0d3de5efffeec6726f88eaf25b18716b4b44db908407fef1e84199586604ed2db51fb1d9528bea7

    • SSDEEP

      12288:WcrNS33L10QdrX2nVnRe87C67I1LX/OrJ3yfc5UsrJZTUfe5xZ:FNA3R5drXyVReq+7aCfNgJ5F7Z

    Score
    10/10
    xenoratratspywarestealertrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks