Overview

overview

10

Static

static

3

XenoRAT.exe

windows7-x64

10

XenoRAT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XenoRAT.exe

  • Size

    150KB

  • MD5

    fcc55ef512ccf37a07ec703b59cc7aad

  • SHA1

    9abef70ff67a2a7032ac1da4cd65424e7b2130b7

  • SHA256

    38b26e2364bc081a90145838451341f14bda3cbd15bba54bf0114cab5d2f8667

  • SHA512

    e26567479340c42126937edba18399af1d070b89c95fb8871dcbf3afb524bc89e289d361f4aa038f655e77b28e095ae3e487d8938248ea3d32677168acd17517

  • SSDEEP

    3072:1QeAu96QNvQRARkML2zzFT1xfeRfAqq9a7JcKYfb5q9ZX4o3+mI:v9zvQvMLqFT1JZ9a7NYfbkT93fI

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

45.66.231.63

Mutex

Holid_rat_nd8859g

Attributes
  • delay

    60400

  • install_path

    appdata

  • port

    1243

  • startup_name

    HDdisplay

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XenoRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoRAT.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Users\Admin\AppData\Local\Temp\XenoRAT.exe
      C:\Users\Admin\AppData\Local\Temp\XenoRAT.exe
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Users\Admin\AppData\Roaming\XenoManager\XenoRAT.exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\XenoRAT.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Users\Admin\AppData\Roaming\XenoManager\XenoRAT.exe
          C:\Users\Admin\AppData\Roaming\XenoManager\XenoRAT.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2204
        • C:\Users\Admin\AppData\Roaming\XenoManager\XenoRAT.exe
          C:\Users\Admin\AppData\Roaming\XenoManager\XenoRAT.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2404
        • C:\Users\Admin\AppData\Roaming\XenoManager\XenoRAT.exe
          C:\Users\Admin\AppData\Roaming\XenoManager\XenoRAT.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2040
        • C:\Users\Admin\AppData\Roaming\XenoManager\XenoRAT.exe
          C:\Users\Admin\AppData\Roaming\XenoManager\XenoRAT.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2688
    • C:\Users\Admin\AppData\Local\Temp\XenoRAT.exe
      C:\Users\Admin\AppData\Local\Temp\XenoRAT.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2244
    • C:\Users\Admin\AppData\Local\Temp\XenoRAT.exe
      C:\Users\Admin\AppData\Local\Temp\XenoRAT.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2276
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB6F0.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1988
    • C:\Users\Admin\AppData\Local\Temp\XenoRAT.exe
      C:\Users\Admin\AppData\Local\Temp\XenoRAT.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpB6F0.tmp
    Filesize

    1KB

    MD5

    961e7ac8e35d0656a62385c11fca1647

    SHA1

    39bcac6fb9481661123ff220d3a4d0cdd6f16c81

    SHA256

    bca1401eabb71a5ca39dc4626ee257430d340e9333626ad47f6a8cd68c49a046

    SHA512

    5206a2c52ba0a81d082a3e08cc38a4882be70dc5e508e04136b315033275f4b296b343187c7f9b1a824058406306b9b7a55432fc518d83ba452fd7094b953258

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XenoManager\XenoRAT.exe
    Filesize

    150KB

    MD5

    fcc55ef512ccf37a07ec703b59cc7aad

    SHA1

    9abef70ff67a2a7032ac1da4cd65424e7b2130b7

    SHA256

    38b26e2364bc081a90145838451341f14bda3cbd15bba54bf0114cab5d2f8667

    SHA512

    e26567479340c42126937edba18399af1d070b89c95fb8871dcbf3afb524bc89e289d361f4aa038f655e77b28e095ae3e487d8938248ea3d32677168acd17517

    Download Submit

  • memory/772-2-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/772-9-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/772-4-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/772-32-0x0000000074550000-0x0000000074C3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/772-52-0x0000000074550000-0x0000000074C3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2324-30-0x0000000000C80000-0x0000000000CAC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2548-0-0x000000007455E000-0x000000007455F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2548-1-0x0000000000890000-0x00000000008BC000-memory.dmp

    Filesize

    176KB

    Download