xenorat | 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5

Analysis

max time kernel
130s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe
Size

707KB
MD5

76e42ae7f8be751dc2802f8429acad56
SHA1

60b373bcd072ff1f31cb32abcb9f26387cfacb9e
SHA256

1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5
SHA512

ba3d1850d8bbd052170c89783c57ed6130cdc02592f3c795a0d3de5efffeec6726f88eaf25b18716b4b44db908407fef1e84199586604ed2db51fb1d9528bea7
SSDEEP

12288:WcrNS33L10QdrX2nVnRe87C67I1LX/OrJ3yfc5UsrJZTUfe5xZ:FNA3R5drXyVReq+7aCfNgJ5F7Z

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

91.92.248.167

Mutex

Bolid_rat_nd8859g

Attributes

delay
60500
install_path
appdata
port
1294
startup_name
bel

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 11 IoCs

pid	Process
2948	gfdhxdh.sfx.exe
2320	gfdhxdh.exe
2112	gfdhxdh.exe
1712	gfdhxdh.exe
1512	gfdhxdh.exe
2708	gfdhxdh.exe
1372	gfdhxdh.exe
868	gfdhxdh.exe
1508	gfdhxdh.exe
528	gfdhxdh.exe
1324	gfdhxdh.exe

Loads dropped DLL 6 IoCs

pid	Process
2824	cmd.exe
2948	gfdhxdh.sfx.exe
2948	gfdhxdh.sfx.exe
2948	gfdhxdh.sfx.exe
2948	gfdhxdh.sfx.exe
1712	gfdhxdh.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 2112	2320	gfdhxdh.exe	34
PID 2320 set thread context of 1712	2320	gfdhxdh.exe	35
PID 2320 set thread context of 1512	2320	gfdhxdh.exe	36
PID 2320 set thread context of 2708	2320	gfdhxdh.exe	37
PID 1372 set thread context of 868	1372	gfdhxdh.exe	39
PID 1372 set thread context of 1508	1372	gfdhxdh.exe	40
PID 1372 set thread context of 528	1372	gfdhxdh.exe	41
PID 1372 set thread context of 1324	1372	gfdhxdh.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1768	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	gfdhxdh.exe
Token: SeDebugPrivilege	1372	gfdhxdh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2824	1612	1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe	30
PID 1612 wrote to memory of 2824	1612	1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe	30
PID 1612 wrote to memory of 2824	1612	1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe	30
PID 1612 wrote to memory of 2824	1612	1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe	30
PID 2824 wrote to memory of 2948	2824	cmd.exe	32
PID 2824 wrote to memory of 2948	2824	cmd.exe	32
PID 2824 wrote to memory of 2948	2824	cmd.exe	32
PID 2824 wrote to memory of 2948	2824	cmd.exe	32
PID 2948 wrote to memory of 2320	2948	gfdhxdh.sfx.exe	33
PID 2948 wrote to memory of 2320	2948	gfdhxdh.sfx.exe	33
PID 2948 wrote to memory of 2320	2948	gfdhxdh.sfx.exe	33
PID 2948 wrote to memory of 2320	2948	gfdhxdh.sfx.exe	33
PID 2320 wrote to memory of 2112	2320	gfdhxdh.exe	34
PID 2320 wrote to memory of 2112	2320	gfdhxdh.exe	34
PID 2320 wrote to memory of 2112	2320	gfdhxdh.exe	34
PID 2320 wrote to memory of 2112	2320	gfdhxdh.exe	34
PID 2320 wrote to memory of 2112	2320	gfdhxdh.exe	34
PID 2320 wrote to memory of 2112	2320	gfdhxdh.exe	34
PID 2320 wrote to memory of 2112	2320	gfdhxdh.exe	34
PID 2320 wrote to memory of 2112	2320	gfdhxdh.exe	34
PID 2320 wrote to memory of 2112	2320	gfdhxdh.exe	34
PID 2320 wrote to memory of 1712	2320	gfdhxdh.exe	35
PID 2320 wrote to memory of 1712	2320	gfdhxdh.exe	35
PID 2320 wrote to memory of 1712	2320	gfdhxdh.exe	35
PID 2320 wrote to memory of 1712	2320	gfdhxdh.exe	35
PID 2320 wrote to memory of 1712	2320	gfdhxdh.exe	35
PID 2320 wrote to memory of 1712	2320	gfdhxdh.exe	35
PID 2320 wrote to memory of 1712	2320	gfdhxdh.exe	35
PID 2320 wrote to memory of 1712	2320	gfdhxdh.exe	35
PID 2320 wrote to memory of 1712	2320	gfdhxdh.exe	35
PID 2320 wrote to memory of 1512	2320	gfdhxdh.exe	36
PID 2320 wrote to memory of 1512	2320	gfdhxdh.exe	36
PID 2320 wrote to memory of 1512	2320	gfdhxdh.exe	36
PID 2320 wrote to memory of 1512	2320	gfdhxdh.exe	36
PID 2320 wrote to memory of 1512	2320	gfdhxdh.exe	36
PID 2320 wrote to memory of 1512	2320	gfdhxdh.exe	36
PID 2320 wrote to memory of 1512	2320	gfdhxdh.exe	36
PID 2320 wrote to memory of 1512	2320	gfdhxdh.exe	36
PID 2320 wrote to memory of 1512	2320	gfdhxdh.exe	36
PID 2320 wrote to memory of 2708	2320	gfdhxdh.exe	37
PID 2320 wrote to memory of 2708	2320	gfdhxdh.exe	37
PID 2320 wrote to memory of 2708	2320	gfdhxdh.exe	37
PID 2320 wrote to memory of 2708	2320	gfdhxdh.exe	37
PID 2320 wrote to memory of 2708	2320	gfdhxdh.exe	37
PID 2320 wrote to memory of 2708	2320	gfdhxdh.exe	37
PID 2320 wrote to memory of 2708	2320	gfdhxdh.exe	37
PID 2320 wrote to memory of 2708	2320	gfdhxdh.exe	37
PID 2320 wrote to memory of 2708	2320	gfdhxdh.exe	37
PID 1712 wrote to memory of 1372	1712	gfdhxdh.exe	38
PID 1712 wrote to memory of 1372	1712	gfdhxdh.exe	38
PID 1712 wrote to memory of 1372	1712	gfdhxdh.exe	38
PID 1712 wrote to memory of 1372	1712	gfdhxdh.exe	38
PID 1372 wrote to memory of 868	1372	gfdhxdh.exe	39
PID 1372 wrote to memory of 868	1372	gfdhxdh.exe	39
PID 1372 wrote to memory of 868	1372	gfdhxdh.exe	39
PID 1372 wrote to memory of 868	1372	gfdhxdh.exe	39
PID 1372 wrote to memory of 868	1372	gfdhxdh.exe	39
PID 1372 wrote to memory of 868	1372	gfdhxdh.exe	39
PID 1372 wrote to memory of 868	1372	gfdhxdh.exe	39
PID 1372 wrote to memory of 868	1372	gfdhxdh.exe	39
PID 1372 wrote to memory of 868	1372	gfdhxdh.exe	39
PID 1372 wrote to memory of 1508	1372	gfdhxdh.exe	40
PID 1372 wrote to memory of 1508	1372	gfdhxdh.exe	40
PID 1372 wrote to memory of 1508	1372	gfdhxdh.exe	40

C:\Users\Admin\AppData\Local\Temp\1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe
"C:\Users\Admin\AppData\Local\Temp\1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\ghjostsdf.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Roaming\gfdhxdh.sfx.exe
    gfdhxdh.sfx.exe -piujmhngbfvdsdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeN -dC:\Users\Admin\AppData\Roaming
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
      "C:\Users\Admin\AppData\Roaming\gfdhxdh.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        5⤵
        Executes dropped EXE
        
        PID:2112
    - - C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        
        "C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        7⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        7⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        7⤵
        Executes dropped EXE
        
        PID:528
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        7⤵
        Executes dropped EXE
        
        PID:1324
    - - C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        5⤵
        Executes dropped EXE
        
        PID:1512
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "bel" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D68.tmp" /F
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
    - - C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        5⤵
        Executes dropped EXE
        
        PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9D68.tmp

Filesize
1KB

MD5
577384a850f9de8e4eea4e7176cdc514

SHA1
af61b52b727df630b06225c9e0ce920ea26e4399

SHA256
92a8ef2da06cc49894605f45ce83894ab93d772fa31e78d59be6118682c16859

SHA512
45a809ce780d9f96f9c57c7db23b0221c5caf81ca5b43f2e97f6288a376d9928bf3109e28a04aae8d5c2227c2bc47b284d8d5cafd4d50cffd4fb1009a6f9982a

Download Submit
C:\Users\Admin\AppData\Roaming\ghjostsdf.cmd

Filesize
18KB

MD5
222aeeb413ba16970dd3c02ad9abc0ce

SHA1
9ca9e96092d679eb228ca12e56df0495b0596e88

SHA256
1061cee35ae6a842f744991c1e42fadb47f445a1504abe161480da8e5e3ed2fc

SHA512
c58822e5492714a74e12f84bea3027e61a6f2a40c9200da3886f59b1291ed9a8bd244e4af7b2017fcd15a790b093cb013d566a196b1539760c33e6afe0284504

Download Submit
\Users\Admin\AppData\Roaming\gfdhxdh.exe

Filesize
447KB

MD5
ae15cae1d0c81ba873c1cf558fead841

SHA1
7d36c27dfe47a2fe5820af90cedca2de6d93031a

SHA256
c696a4f2ed661c6282b957c16d04ec16114fcbab6153033a5f1f663d5dad129d

SHA512
63d4daf40ad7be15bd9e0527da89a84a26cfe1843456aa16bf0c9c7fe339aab621920ade0888e9fcd373f0e6fec14fb5ce8731485d307ab43d30f6c772072392

Download Submit
\Users\Admin\AppData\Roaming\gfdhxdh.sfx.exe

Filesize
570KB

MD5
e3971905e8de0b85cd2631acd6cd9aca

SHA1
acb6bc0d6b457596a9fbe611f75d4968cb2b6e30

SHA256
e2f1f0c71ec63d9a715bd284d9b772aa95c237736a6f535bd6d6d09ef8256fb9

SHA512
06abf1248917a91ab2cf425e9edf89a01fb105dfd092df11b0715ddc7361adb6f37b1826e7e1f46329583fcd9fde5ce8a10b2bf3463206aea560d0d8a6e5ca5e

Download Submit
memory/1372-60-0x0000000000EE0000-0x0000000000F5A000-memory.dmp

Filesize
488KB

Download
memory/1712-46-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1712-45-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1712-43-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2320-37-0x0000000000310000-0x000000000038A000-memory.dmp

Filesize
488KB

Download
memory/2320-38-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2320-39-0x00000000006D0000-0x000000000073A000-memory.dmp

Filesize
424KB

Download
memory/2320-40-0x0000000000520000-0x0000000000526000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads