xenorat | 332c5041438fb488709b351f39dc5dcdaeb11f575a6330ce9f77811e9e22d16f

Analysis

max time kernel
114s
max time network
109s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a82bfd5e62292dd3819e30203bf3d600N.exe
Size

62KB
MD5

a82bfd5e62292dd3819e30203bf3d600
SHA1

45f9ad119f1fcde707e9f1d48a8f2d321e5728bb
SHA256

332c5041438fb488709b351f39dc5dcdaeb11f575a6330ce9f77811e9e22d16f
SHA512

d42a6809638575457426dd0b75a76627a4cc55f21d8f7d0990491d299b07fff7c2e4674ce6835ccf3e788767fe6b451a2e254afcea451c74bfb21c12aa856bd5
SSDEEP

1536:QGfpH0kPZMak9VeXOCey6+yjjPhWzkDalm3x42oQF6atdf:vWak94ey6+yjj8QGlmh4QF6atdf

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

192.168.100.111

Mutex

andrei

Attributes

delay
3000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2780 set thread context of 2840	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	31

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2780	a82bfd5e62292dd3819e30203bf3d600N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	a82bfd5e62292dd3819e30203bf3d600N.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2848	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	30
PID 2780 wrote to memory of 2848	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	30
PID 2780 wrote to memory of 2848	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	30
PID 2780 wrote to memory of 2848	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	30
PID 2780 wrote to memory of 2840	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	31
PID 2780 wrote to memory of 2840	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	31
PID 2780 wrote to memory of 2840	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	31
PID 2780 wrote to memory of 2840	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	31
PID 2780 wrote to memory of 2840	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	31
PID 2780 wrote to memory of 2840	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	31
PID 2780 wrote to memory of 2840	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	31
PID 2780 wrote to memory of 2840	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	31
PID 2780 wrote to memory of 2840	2780	a82bfd5e62292dd3819e30203bf3d600N.exe	31

C:\Users\Admin\AppData\Local\Temp\a82bfd5e62292dd3819e30203bf3d600N.exe
"C:\Users\Admin\AppData\Local\Temp\a82bfd5e62292dd3819e30203bf3d600N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\a82bfd5e62292dd3819e30203bf3d600N.exe
  "C:\Users\Admin\AppData\Local\Temp\a82bfd5e62292dd3819e30203bf3d600N.exe"
  2⤵
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\a82bfd5e62292dd3819e30203bf3d600N.exe
  "C:\Users\Admin\AppData\Local\Temp\a82bfd5e62292dd3819e30203bf3d600N.exe"
  2⤵
  PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2780-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

Filesize
4KB

Download
memory/2780-1-0x0000000000ED0000-0x0000000000EE6000-memory.dmp

Filesize
88KB

Download
memory/2780-2-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-3-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

Filesize
4KB

Download
memory/2780-4-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-5-0x00000000009B0000-0x00000000009C4000-memory.dmp

Filesize
80KB

Download
memory/2780-19-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2840-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2840-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2840-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2840-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2840-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2840-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2840-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2840-18-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-20-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-21-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-22-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download