General
-
Target
PAGO_Transferencia.lnk.lnk
-
Size
2KB
-
Sample
240726-m45dqsxfpc
-
MD5
4db66f511c6604f1be1ae032b84f8358
-
SHA1
8ab73293cf42ead05326874845622cea78822c8f
-
SHA256
1e2f9bb7d4aee809ae89704f6225503bf72b09ca897986ab70a00332fdf10ae7
-
SHA512
2cf294db093bbe00ce504d2817dced1d62d7eb8af4a7183836fb4af0288f7e5018cd2226bea522ad5464b911317bd184bb36303e766fa4a59239f87878510c67
Malware Config
Extracted
http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe
Extracted
xenorat
45.66.231.63
Holid_rat_nd8859g
-
delay
60400
-
install_path
appdata
-
port
1243
-
startup_name
HDdisplay
Targets
-
-
Target
PAGO_Transferencia.lnk.lnk
-
Size
2KB
-
MD5
4db66f511c6604f1be1ae032b84f8358
-
SHA1
8ab73293cf42ead05326874845622cea78822c8f
-
SHA256
1e2f9bb7d4aee809ae89704f6225503bf72b09ca897986ab70a00332fdf10ae7
-
SHA512
2cf294db093bbe00ce504d2817dced1d62d7eb8af4a7183836fb4af0288f7e5018cd2226bea522ad5464b911317bd184bb36303e766fa4a59239f87878510c67
Score10/10-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-