xenorat | 6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3 | Triage

Sharing

General

Target

6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3
Size

249KB
Sample

240726-sc5hbavcrm
MD5

d9dec4584b14bc1d0c5f51522743a385
SHA1

3e1269800b8cfb93f802307354eb8227f6503f05
SHA256

6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3
SHA512

5976deb2bb2084cd00d9888602e75b1966a9b0f4f8b1e23814f7f988b050523538c33e39d2874bf0e586b5bedae6257e05732434179c7f88f022f2eeb98b3dbd
SSDEEP

6144:18arJr5++gsCwCZ41JD7Ae31rwMwAZtUSiHrmM8FDy47j+wf6y5Mlg5XI:XNr1Kv41Joi2k/U4Dy47j+wf6y5Mlg54

Score

10^/10

xenorat credential_access discovery rat spyware stealer trojan

Malware Config

Extracted

Family

xenorat

C2

45.66.231.63

Mutex

Holid_rat_nd8859g

Attributes

delay
60400
install_path
appdata
port
1243
startup_name
HDdisplay

Targets

- Target
  
  6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3
- Size
  
  249KB
- MD5
  
  d9dec4584b14bc1d0c5f51522743a385
- SHA1
  
  3e1269800b8cfb93f802307354eb8227f6503f05
- SHA256
  
  6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3
- SHA512
  
  5976deb2bb2084cd00d9888602e75b1966a9b0f4f8b1e23814f7f988b050523538c33e39d2874bf0e586b5bedae6257e05732434179c7f88f022f2eeb98b3dbd
- SSDEEP
  
  6144:18arJr5++gsCwCZ41JD7Ae31rwMwAZtUSiHrmM8FDy47j+wf6y5Mlg5XI:XNr1Kv41Joi2k/U4Dy47j+wf6y5Mlg54
Score

10^/10

xenorat credential_access discovery rat spyware stealer trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratcredential_accessdiscoveryratspywarestealertrojan

behavioral2

xenoratcredential_accessdiscoveryratspywarestealertrojan