General
-
Target
job_offer_personal_profile.pdf.js
-
Size
46KB
-
Sample
240719-x2wzpawbrk
-
MD5
4aa0d4b34e801f9e29a10988a5cb9d50
-
SHA1
e8b266857a307c5ced537018138e82f8173331fc
-
SHA256
97dabca268785ff70da0f954929ec7767861f9a72a61903bafb08691cbd8d1a0
-
SHA512
c5e511587c2d3e63b661deaa27fdccb3122a8aaa5722573fdb9a2f3ccd901e9002007a4cee4cb76b0e9db13f56e99844d8d70f1690107a6540388c0a054d4187
-
SSDEEP
768:e+2+2+w3C6+M3C6+M3C6+b3C6+aK3C6+wF3C6+DeV53C6+wn39OUz83C6+j8Gdsd:e11bC6xC6xC6AC6yC6FC6xC6zNO0wC6r
Malware Config
Extracted
http://176.113.115.177/x/z.png
Extracted
xenorat
176.113.115.177
RGHEHTJ4GEJHTJSHJAJHAJHA
-
install_path
nothingset
-
port
4404
-
startup_name
nothingset
Targets
-
-
Target
job_offer_personal_profile.pdf.js
-
Size
46KB
-
MD5
4aa0d4b34e801f9e29a10988a5cb9d50
-
SHA1
e8b266857a307c5ced537018138e82f8173331fc
-
SHA256
97dabca268785ff70da0f954929ec7767861f9a72a61903bafb08691cbd8d1a0
-
SHA512
c5e511587c2d3e63b661deaa27fdccb3122a8aaa5722573fdb9a2f3ccd901e9002007a4cee4cb76b0e9db13f56e99844d8d70f1690107a6540388c0a054d4187
-
SSDEEP
768:e+2+2+w3C6+M3C6+M3C6+b3C6+aK3C6+wF3C6+DeV53C6+wn39OUz83C6+j8Gdsd:e11bC6xC6xC6AC6yC6FC6xC6zNO0wC6r
Score10/10-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Hide Artifacts: Hidden Files and Directories
-
Suspicious use of SetThreadContext
-