xenorat | 1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe
Size

707KB
MD5

76e42ae7f8be751dc2802f8429acad56
SHA1

60b373bcd072ff1f31cb32abcb9f26387cfacb9e
SHA256

1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5
SHA512

ba3d1850d8bbd052170c89783c57ed6130cdc02592f3c795a0d3de5efffeec6726f88eaf25b18716b4b44db908407fef1e84199586604ed2db51fb1d9528bea7
SSDEEP

12288:WcrNS33L10QdrX2nVnRe87C67I1LX/OrJ3yfc5UsrJZTUfe5xZ:FNA3R5drXyVReq+7aCfNgJ5F7Z

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

91.92.248.167

Mutex

Bolid_rat_nd8859g

Attributes

delay
60500
install_path
appdata
port
1294
startup_name
bel

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	gfdhxdh.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	gfdhxdh.exe

Executes dropped EXE 11 IoCs

pid	Process
5108	gfdhxdh.sfx.exe
4224	gfdhxdh.exe
2044	gfdhxdh.exe
3560	gfdhxdh.exe
220	gfdhxdh.exe
5032	gfdhxdh.exe
3508	gfdhxdh.exe
3572	gfdhxdh.exe
4704	gfdhxdh.exe
4980	gfdhxdh.exe
336	gfdhxdh.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 4224 set thread context of 2044	4224	gfdhxdh.exe	92
PID 4224 set thread context of 3560	4224	gfdhxdh.exe	93
PID 4224 set thread context of 5032	4224	gfdhxdh.exe	95
PID 4224 set thread context of 220	4224	gfdhxdh.exe	96
PID 3508 set thread context of 3572	3508	gfdhxdh.exe	102
PID 3508 set thread context of 4704	3508	gfdhxdh.exe	103
PID 3508 set thread context of 4980	3508	gfdhxdh.exe	104
PID 3508 set thread context of 336	3508	gfdhxdh.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2420	2044	WerFault.exe	92
3044	220	WerFault.exe	96
4144	336	WerFault.exe	106
4080	3572	WerFault.exe	102

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3620	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4224	gfdhxdh.exe
Token: SeDebugPrivilege	3508	gfdhxdh.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3572	gfdhxdh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 3340	4264	1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe	85
PID 4264 wrote to memory of 3340	4264	1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe	85
PID 4264 wrote to memory of 3340	4264	1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe	85
PID 3340 wrote to memory of 5108	3340	cmd.exe	88
PID 3340 wrote to memory of 5108	3340	cmd.exe	88
PID 3340 wrote to memory of 5108	3340	cmd.exe	88
PID 5108 wrote to memory of 4224	5108	gfdhxdh.sfx.exe	91
PID 5108 wrote to memory of 4224	5108	gfdhxdh.sfx.exe	91
PID 5108 wrote to memory of 4224	5108	gfdhxdh.sfx.exe	91
PID 4224 wrote to memory of 2044	4224	gfdhxdh.exe	92
PID 4224 wrote to memory of 2044	4224	gfdhxdh.exe	92
PID 4224 wrote to memory of 2044	4224	gfdhxdh.exe	92
PID 4224 wrote to memory of 2044	4224	gfdhxdh.exe	92
PID 4224 wrote to memory of 2044	4224	gfdhxdh.exe	92
PID 4224 wrote to memory of 2044	4224	gfdhxdh.exe	92
PID 4224 wrote to memory of 2044	4224	gfdhxdh.exe	92
PID 4224 wrote to memory of 2044	4224	gfdhxdh.exe	92
PID 4224 wrote to memory of 3560	4224	gfdhxdh.exe	93
PID 4224 wrote to memory of 3560	4224	gfdhxdh.exe	93
PID 4224 wrote to memory of 3560	4224	gfdhxdh.exe	93
PID 4224 wrote to memory of 3560	4224	gfdhxdh.exe	93
PID 4224 wrote to memory of 3560	4224	gfdhxdh.exe	93
PID 4224 wrote to memory of 3560	4224	gfdhxdh.exe	93
PID 4224 wrote to memory of 3560	4224	gfdhxdh.exe	93
PID 4224 wrote to memory of 3560	4224	gfdhxdh.exe	93
PID 4224 wrote to memory of 5032	4224	gfdhxdh.exe	95
PID 4224 wrote to memory of 5032	4224	gfdhxdh.exe	95
PID 4224 wrote to memory of 5032	4224	gfdhxdh.exe	95
PID 4224 wrote to memory of 5032	4224	gfdhxdh.exe	95
PID 4224 wrote to memory of 5032	4224	gfdhxdh.exe	95
PID 4224 wrote to memory of 5032	4224	gfdhxdh.exe	95
PID 4224 wrote to memory of 5032	4224	gfdhxdh.exe	95
PID 4224 wrote to memory of 5032	4224	gfdhxdh.exe	95
PID 4224 wrote to memory of 220	4224	gfdhxdh.exe	96
PID 4224 wrote to memory of 220	4224	gfdhxdh.exe	96
PID 4224 wrote to memory of 220	4224	gfdhxdh.exe	96
PID 4224 wrote to memory of 220	4224	gfdhxdh.exe	96
PID 4224 wrote to memory of 220	4224	gfdhxdh.exe	96
PID 4224 wrote to memory of 220	4224	gfdhxdh.exe	96
PID 4224 wrote to memory of 220	4224	gfdhxdh.exe	96
PID 4224 wrote to memory of 220	4224	gfdhxdh.exe	96
PID 3560 wrote to memory of 3508	3560	gfdhxdh.exe	99
PID 3560 wrote to memory of 3508	3560	gfdhxdh.exe	99
PID 3560 wrote to memory of 3508	3560	gfdhxdh.exe	99
PID 3508 wrote to memory of 3572	3508	gfdhxdh.exe	102
PID 3508 wrote to memory of 3572	3508	gfdhxdh.exe	102
PID 3508 wrote to memory of 3572	3508	gfdhxdh.exe	102
PID 3508 wrote to memory of 3572	3508	gfdhxdh.exe	102
PID 3508 wrote to memory of 3572	3508	gfdhxdh.exe	102
PID 3508 wrote to memory of 3572	3508	gfdhxdh.exe	102
PID 3508 wrote to memory of 3572	3508	gfdhxdh.exe	102
PID 3508 wrote to memory of 3572	3508	gfdhxdh.exe	102
PID 3508 wrote to memory of 4704	3508	gfdhxdh.exe	103
PID 3508 wrote to memory of 4704	3508	gfdhxdh.exe	103
PID 3508 wrote to memory of 4704	3508	gfdhxdh.exe	103
PID 3508 wrote to memory of 4704	3508	gfdhxdh.exe	103
PID 3508 wrote to memory of 4704	3508	gfdhxdh.exe	103
PID 3508 wrote to memory of 4704	3508	gfdhxdh.exe	103
PID 3508 wrote to memory of 4704	3508	gfdhxdh.exe	103
PID 3508 wrote to memory of 4704	3508	gfdhxdh.exe	103
PID 3508 wrote to memory of 4980	3508	gfdhxdh.exe	104
PID 3508 wrote to memory of 4980	3508	gfdhxdh.exe	104
PID 3508 wrote to memory of 4980	3508	gfdhxdh.exe	104
PID 3508 wrote to memory of 4980	3508	gfdhxdh.exe	104

C:\Users\Admin\AppData\Local\Temp\1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe
"C:\Users\Admin\AppData\Local\Temp\1bca88ef695a571b209d53645981a5bf0d005491ee35b4bf7fb5890c4f7fb8d5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\ghjostsdf.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Users\Admin\AppData\Roaming\gfdhxdh.sfx.exe
    gfdhxdh.sfx.exe -piujmhngbfvdsdyethnymkdesppodtyuhngfszafugyRhvqxsdfHbgnmeN -dC:\Users\Admin\AppData\Roaming
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
      "C:\Users\Admin\AppData\Roaming\gfdhxdh.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        5⤵
        Executes dropped EXE
        
        PID:2044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 80
        6⤵
        Program crash
        
        PID:2420
    - - C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3560
      - C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        
        "C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        7⤵
        Executes dropped EXE
        Suspicious use of UnmapMainImage
        
        PID:3572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 12
        8⤵
        Program crash
        
        PID:4080
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        7⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        7⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\XenoManager\gfdhxdh.exe
        7⤵
        Executes dropped EXE
        
        PID:336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 88
        8⤵
        Program crash
        
        PID:4144
    - - C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        5⤵
        Executes dropped EXE
        
        PID:5032
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "bel" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD349.tmp" /F
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3620
    - - C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        
        C:\Users\Admin\AppData\Roaming\gfdhxdh.exe
        5⤵
        Executes dropped EXE
        
        PID:220
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 84
        6⤵
        Program crash
        
        PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 220 -ip 220
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2044 -ip 2044
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3572 -ip 3572
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 336 -ip 336
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gfdhxdh.exe.log

Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD349.tmp

Filesize
1KB

MD5
577384a850f9de8e4eea4e7176cdc514

SHA1
af61b52b727df630b06225c9e0ce920ea26e4399

SHA256
92a8ef2da06cc49894605f45ce83894ab93d772fa31e78d59be6118682c16859

SHA512
45a809ce780d9f96f9c57c7db23b0221c5caf81ca5b43f2e97f6288a376d9928bf3109e28a04aae8d5c2227c2bc47b284d8d5cafd4d50cffd4fb1009a6f9982a

Download Submit
C:\Users\Admin\AppData\Roaming\gfdhxdh.exe

Filesize
447KB

MD5
ae15cae1d0c81ba873c1cf558fead841

SHA1
7d36c27dfe47a2fe5820af90cedca2de6d93031a

SHA256
c696a4f2ed661c6282b957c16d04ec16114fcbab6153033a5f1f663d5dad129d

SHA512
63d4daf40ad7be15bd9e0527da89a84a26cfe1843456aa16bf0c9c7fe339aab621920ade0888e9fcd373f0e6fec14fb5ce8731485d307ab43d30f6c772072392

Download Submit
C:\Users\Admin\AppData\Roaming\gfdhxdh.sfx.exe

Filesize
570KB

MD5
e3971905e8de0b85cd2631acd6cd9aca

SHA1
acb6bc0d6b457596a9fbe611f75d4968cb2b6e30

SHA256
e2f1f0c71ec63d9a715bd284d9b772aa95c237736a6f535bd6d6d09ef8256fb9

SHA512
06abf1248917a91ab2cf425e9edf89a01fb105dfd092df11b0715ddc7361adb6f37b1826e7e1f46329583fcd9fde5ce8a10b2bf3463206aea560d0d8a6e5ca5e

Download Submit
C:\Users\Admin\AppData\Roaming\ghjostsdf.cmd

Filesize
18KB

MD5
222aeeb413ba16970dd3c02ad9abc0ce

SHA1
9ca9e96092d679eb228ca12e56df0495b0596e88

SHA256
1061cee35ae6a842f744991c1e42fadb47f445a1504abe161480da8e5e3ed2fc

SHA512
c58822e5492714a74e12f84bea3027e61a6f2a40c9200da3886f59b1291ed9a8bd244e4af7b2017fcd15a790b093cb013d566a196b1539760c33e6afe0284504

Download Submit
memory/3560-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4224-25-0x000000000DF60000-0x000000000DFFC000-memory.dmp

Filesize
624KB

Download
memory/4224-26-0x000000000E5B0000-0x000000000EB54000-memory.dmp

Filesize
5.6MB

Download
memory/4224-27-0x000000000E0A0000-0x000000000E132000-memory.dmp

Filesize
584KB

Download
memory/4224-28-0x0000000002C70000-0x0000000002C76000-memory.dmp

Filesize
24KB

Download
memory/4224-24-0x000000000DE50000-0x000000000DEBA000-memory.dmp

Filesize
424KB

Download
memory/4224-23-0x0000000005320000-0x0000000005326000-memory.dmp

Filesize
24KB

Download
memory/4224-22-0x00000000009C0000-0x0000000000A3A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads