xenorat | 929bd3290253659ed89c3331eb1792fd8b6dee75b0872e485bbcc4cf417566bc | Triage

Sharing

General

Target

windows_update.exe
Size

108KB
Sample

240726-zgzwystcpq
MD5

a6ea9e37bd47303cac85f331e64838a8
SHA1

a265b9cfbcef84980e2d2e1d11cd7b1097396297
SHA256

929bd3290253659ed89c3331eb1792fd8b6dee75b0872e485bbcc4cf417566bc
SHA512

a7615b9d24065132cf467386fed3ff273da2e6af71a48e150b0dca4437c2ed0eb9693fff51ae33f3dee1f195e15311469063527f779135f54ab07573b040c52d
SSDEEP

1536:mmiY0ryGXrOvCRq0wj4RcIVIbEAvYaueXe:mmiY0jKT02bEA51e

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

C2

192.168.30.131

Mutex

Microsoft Inc

Attributes

delay
5000
install_path
temp
port
9099
startup_name
nothingset

Targets

- Target
  
  windows_update.exe
- Size
  
  108KB
- MD5
  
  a6ea9e37bd47303cac85f331e64838a8
- SHA1
  
  a265b9cfbcef84980e2d2e1d11cd7b1097396297
- SHA256
  
  929bd3290253659ed89c3331eb1792fd8b6dee75b0872e485bbcc4cf417566bc
- SHA512
  
  a7615b9d24065132cf467386fed3ff273da2e6af71a48e150b0dca4437c2ed0eb9693fff51ae33f3dee1f195e15311469063527f779135f54ab07573b040c52d
- SSDEEP
  
  1536:mmiY0ryGXrOvCRq0wj4RcIVIbEAvYaueXe:mmiY0jKT02bEA51e
Score

10^/10

xenorat discovery rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratdiscoveryrattrojan

behavioral2

xenoratdiscoveryrattrojan