Overview

overview

10

Static

static

3

54eafd9bd8...43.exe

windows7-x64

10

54eafd9bd8...43.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    54eafd9bd8105444ccd57e92dc3bee43166532da0a71e26686fe9913956f6243.zip

  • Size

    219KB

  • Sample

    240727-fz1fnazajj

  • MD5

    eeae6ed0cb9617db5e467c8e924bd04b

  • SHA1

    643b8a3c7bbe8ee6280c0a8fdfddded4d3b2a85d

  • SHA256

    0dbb02c1e2339d63e0a48e0eb8eeada5c904a2aabf354137a66c2232268c0e81

  • SHA512

    2fa53ffceac469d93428450b778e6e9d6e2e5e07a7c963ffdf8196bf44a36750a7967279035f5ece301919ee29819129c330fc5c64e78a65da6fa1948c0bf138

  • SSDEEP

    6144:lnINzSas+oWnQT9/u1SUGykrGVA7YKAdDqP:5rafXnOu1L8rGjKP

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

45.66.231.63

Mutex

Holid_rat_nd8859g

Attributes
  • delay

    60400

  • install_path

    appdata

  • port

    1243

  • startup_name

    HDdisplay

Targets

    • Target

      54eafd9bd8105444ccd57e92dc3bee43166532da0a71e26686fe9913956f6243.exe

    • Size

      253KB

    • MD5

      e74db56e352d5015304af19ec21ffeb5

    • SHA1

      cf026e98f937ea8989a789fa8e43895f3f642431

    • SHA256

      54eafd9bd8105444ccd57e92dc3bee43166532da0a71e26686fe9913956f6243

    • SHA512

      32854f3b960a17c9051714d4b456517607f21e57547c6711b4ae2020c54462ca554edc01d789052a66e082637ed6cf9854e624b6d938c6c852a282de13299dc2

    • SSDEEP

      6144:fK0vMcNP/YJ4/OmWMDJBP1FOHu10jc9ppUATB4KQK0f6nYSr8Kg0I:fK0vDE4dDJN6Hu10jcraOB4KQK0f6nYX

    Score
    10/10
    xenoratdiscoveryrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks