xenorat | 332c5041438fb488709b351f39dc5dcdaeb11f575a6330ce9f77811e9e22d16f

Analysis

max time kernel
112s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a82bfd5e62292dd3819e30203bf3d600N.exe
Size

62KB
MD5

a82bfd5e62292dd3819e30203bf3d600
SHA1

45f9ad119f1fcde707e9f1d48a8f2d321e5728bb
SHA256

332c5041438fb488709b351f39dc5dcdaeb11f575a6330ce9f77811e9e22d16f
SHA512

d42a6809638575457426dd0b75a76627a4cc55f21d8f7d0990491d299b07fff7c2e4674ce6835ccf3e788767fe6b451a2e254afcea451c74bfb21c12aa856bd5
SSDEEP

1536:QGfpH0kPZMak9VeXOCey6+yjjPhWzkDalm3x42oQF6atdf:vWak94ey6+yjj8QGlmh4QF6atdf

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

192.168.100.111

Mutex

andrei

Attributes

delay
3000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4876 set thread context of 5088	4876	a82bfd5e62292dd3819e30203bf3d600N.exe	94

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 5088	4876	a82bfd5e62292dd3819e30203bf3d600N.exe	94
PID 4876 wrote to memory of 5088	4876	a82bfd5e62292dd3819e30203bf3d600N.exe	94
PID 4876 wrote to memory of 5088	4876	a82bfd5e62292dd3819e30203bf3d600N.exe	94
PID 4876 wrote to memory of 5088	4876	a82bfd5e62292dd3819e30203bf3d600N.exe	94
PID 4876 wrote to memory of 5088	4876	a82bfd5e62292dd3819e30203bf3d600N.exe	94
PID 4876 wrote to memory of 5088	4876	a82bfd5e62292dd3819e30203bf3d600N.exe	94
PID 4876 wrote to memory of 5088	4876	a82bfd5e62292dd3819e30203bf3d600N.exe	94
PID 4876 wrote to memory of 5088	4876	a82bfd5e62292dd3819e30203bf3d600N.exe	94

C:\Users\Admin\AppData\Local\Temp\a82bfd5e62292dd3819e30203bf3d600N.exe
"C:\Users\Admin\AppData\Local\Temp\a82bfd5e62292dd3819e30203bf3d600N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Local\Temp\a82bfd5e62292dd3819e30203bf3d600N.exe
  "C:\Users\Admin\AppData\Local\Temp\a82bfd5e62292dd3819e30203bf3d600N.exe"
  2⤵
  PID:5088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a82bfd5e62292dd3819e30203bf3d600N.exe.log

Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
memory/4876-4-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

Filesize
40KB

Download
memory/4876-7-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/4876-3-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/4876-0-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/4876-9-0x0000000004FA0000-0x0000000004FB4000-memory.dmp

Filesize
80KB

Download
memory/4876-6-0x0000000005080000-0x00000000050F6000-memory.dmp

Filesize
472KB

Download
memory/4876-2-0x0000000005320000-0x00000000058C4000-memory.dmp

Filesize
5.6MB

Download
memory/4876-8-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4876-5-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4876-10-0x0000000005120000-0x000000000513E000-memory.dmp

Filesize
120KB

Download
memory/4876-15-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4876-1-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/5088-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5088-14-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-16-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/5088-17-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads