Overview

overview

10

Static

static

3

Betaling.exe

windows7-x64

10

Betaling.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2024 11:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Betaling.exe

  • Size

    707KB

  • MD5

    76e42ae7f8be751dc2802f8429acad56

  • SHA1

    60b373bcd072ff1f31cb32abcb9f26387cfacb9e

  • SHA256

    1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5

  • SHA512

    ba3d1850d8bbd052170c89783c57ed6130cdc02592f3c795a0d3de5efffeec6726f88eaf25b18716b4b44db908407fef1e84199586604ed2db51fb1d9528bea7

  • SSDEEP

    12288:WcrNS33L10QdrX2nVnRe87C67I1LX/OrJ3yfc5UsrJZTUfe5xZ:FNA3R5drXyVReq+7aCfNgJ5F7Z

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Bolid_rat_nd8859g

Attributes
  • delay

    60500

  • install_path

    appdata

  • port

    1294

  • startup_name

    bel

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Betaling.exe
    "C:\Users\Admin\AppData\Local\Temp\Betaling.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\ghjostsdf.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3612
      • C:\Users\Admin\AppData\Roaming\gfdhxdh.sfx.exe
        gfdhxdh.sfx.exe -piujmhngbfvdsdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeN -dC:\Users\Admin\AppData\Roaming
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5072
        • C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
          "C:\Users\Admin\AppData\Roaming\gfdhxdh.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2192
          • C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
            C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
            5⤵
            • Executes dropped EXE
            PID:2296
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 80
              6⤵
              • Program crash
              PID:4232
          • C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
            C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3236
            • C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
              "C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2672
              • C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
                C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
                7⤵
                • Executes dropped EXE
                PID:4424
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 152
                  8⤵
                  • Program crash
                  PID:4572
              • C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
                C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
                7⤵
                • Executes dropped EXE
                PID:4184
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 80
                  8⤵
                  • Program crash
                  PID:2852
              • C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
                C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
                7⤵
                • Executes dropped EXE
                PID:4504
              • C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
                C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
                7⤵
                • Executes dropped EXE
                PID:1964
          • C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
            C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3076
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks.exe" /Create /TN "bel" /XML "C:\Users\Admin\AppData\Local\Temp\tmp726C.tmp" /F
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2284
          • C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
            C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
            5⤵
            • Executes dropped EXE
            PID:4344
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2296 -ip 2296
    1⤵
      PID:2932
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4424 -ip 4424
      1⤵
        PID:2828
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4184 -ip 4184
        1⤵
          PID:1684

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gfdhxdh.exe.log
          Filesize

          706B

          MD5

          d95c58e609838928f0f49837cab7dfd2

          SHA1

          55e7139a1e3899195b92ed8771d1ca2c7d53c916

          SHA256

          0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

          SHA512

          405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp726C.tmp
          Filesize

          1KB

          MD5

          577384a850f9de8e4eea4e7176cdc514

          SHA1

          af61b52b727df630b06225c9e0ce920ea26e4399

          SHA256

          92a8ef2da06cc49894605f45ce83894ab93d772fa31e78d59be6118682c16859

          SHA512

          45a809ce780d9f96f9c57c7db23b0221c5caf81ca5b43f2e97f6288a376d9928bf3109e28a04aae8d5c2227c2bc47b284d8d5cafd4d50cffd4fb1009a6f9982a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
          Filesize

          447KB

          MD5

          ae15cae1d0c81ba873c1cf558fead841

          SHA1

          7d36c27dfe47a2fe5820af90cedca2de6d93031a

          SHA256

          c696a4f2ed661c6282b957c16d04ec16114fcbab6153033a5f1f663d5dad129d

          SHA512

          63d4daf40ad7be15bd9e0527da89a84a26cfe1843456aa16bf0c9c7fe339aab621920ade0888e9fcd373f0e6fec14fb5ce8731485d307ab43d30f6c772072392

          Download Submit

        • C:\Users\Admin\AppData\Roaming\gfdhxdh.sfx.exe
          Filesize

          570KB

          MD5

          e3971905e8de0b85cd2631acd6cd9aca

          SHA1

          acb6bc0d6b457596a9fbe611f75d4968cb2b6e30

          SHA256

          e2f1f0c71ec63d9a715bd284d9b772aa95c237736a6f535bd6d6d09ef8256fb9

          SHA512

          06abf1248917a91ab2cf425e9edf89a01fb105dfd092df11b0715ddc7361adb6f37b1826e7e1f46329583fcd9fde5ce8a10b2bf3463206aea560d0d8a6e5ca5e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ghjostsdf.cmd
          Filesize

          18KB

          MD5

          222aeeb413ba16970dd3c02ad9abc0ce

          SHA1

          9ca9e96092d679eb228ca12e56df0495b0596e88

          SHA256

          1061cee35ae6a842f744991c1e42fadb47f445a1504abe161480da8e5e3ed2fc

          SHA512

          c58822e5492714a74e12f84bea3027e61a6f2a40c9200da3886f59b1291ed9a8bd244e4af7b2017fcd15a790b093cb013d566a196b1539760c33e6afe0284504

          Download Submit

        • memory/2192-22-0x0000000000130000-0x00000000001AA000-memory.dmp

          Filesize

          488KB

          Download

        • memory/2192-23-0x0000000004AD0000-0x0000000004AD6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2192-24-0x000000000D6A0000-0x000000000D70A000-memory.dmp

          Filesize

          424KB

          Download

        • memory/2192-25-0x000000000D7B0000-0x000000000D84C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2192-26-0x000000000DE00000-0x000000000E3A4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2192-27-0x000000000D8F0000-0x000000000D982000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2192-28-0x00000000025C0000-0x00000000025C6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3076-62-0x0000000005EA0000-0x0000000006062000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3076-60-0x0000000005960000-0x00000000059C6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3076-61-0x0000000005BD0000-0x0000000005CCA000-memory.dmp

          Filesize

          1000KB

          Download

        • memory/3076-63-0x0000000005D60000-0x0000000005DD6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3076-64-0x0000000005DE0000-0x0000000005E30000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3076-65-0x00000000065A0000-0x0000000006ACC000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/3076-66-0x0000000006170000-0x000000000618E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3236-31-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

          Download