xenorat | 27bea02ba16a40be47d94547a9cad6dbc6b40111bbf7616c175cf81c83260a5e

Analysis

max time kernel
503s
max time network
435s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GlucoseBootstrapper.exe
Size

310KB
MD5

42b5a7ab130d52ef5d1cdb8f1a62e70c
SHA1

43b4275d2442fc2e352dc1890b0dfa031f6aec88
SHA256

27bea02ba16a40be47d94547a9cad6dbc6b40111bbf7616c175cf81c83260a5e
SHA512

1eee045c0d92e8e235694620ea53f379a6a87514b84a0783ff92c85187a51b6a03e7d839910a564e1f7f58d861be87597e3cef056e103877ff6067648dbf7979
SSDEEP

6144:rW991UbxJWt5c2xE7orTkcikKfnvVREg8SSovnF6zeZm4wgXtMhSWJTz3A2Gatec:rOzw45W26CC

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
temp
port
4444
startup_name
antibyfron

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	GlucoseBootstrapper.exe

Executes dropped EXE 1 IoCs

pid	Process
1736	GlucoseBootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlucoseBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GlucoseBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5052	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 1736	4664	GlucoseBootstrapper.exe	85
PID 4664 wrote to memory of 1736	4664	GlucoseBootstrapper.exe	85
PID 4664 wrote to memory of 1736	4664	GlucoseBootstrapper.exe	85
PID 1736 wrote to memory of 5052	1736	GlucoseBootstrapper.exe	86
PID 1736 wrote to memory of 5052	1736	GlucoseBootstrapper.exe	86
PID 1736 wrote to memory of 5052	1736	GlucoseBootstrapper.exe	86

C:\Users\Admin\AppData\Local\Temp\GlucoseBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\GlucoseBootstrapper.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\XenoManager\GlucoseBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\GlucoseBootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "antibyfron" /XML "C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XenoManager\GlucoseBootstrapper.exe

Filesize
310KB

MD5
42b5a7ab130d52ef5d1cdb8f1a62e70c

SHA1
43b4275d2442fc2e352dc1890b0dfa031f6aec88

SHA256
27bea02ba16a40be47d94547a9cad6dbc6b40111bbf7616c175cf81c83260a5e

SHA512
1eee045c0d92e8e235694620ea53f379a6a87514b84a0783ff92c85187a51b6a03e7d839910a564e1f7f58d861be87597e3cef056e103877ff6067648dbf7979

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp972F.tmp

Filesize
1KB

MD5
479d65117a5f7fac01ce118201caafb3

SHA1
b2d86fc21c0a76e9affa72fb3a5c2ae415219dc3

SHA256
00a4d1e077010c21caad86d8abb241f758cb1fe6b5d3ca28fd951f982825b1e3

SHA512
e07eca7b339b617e1156d13c24c087f4f519dd3a24d60717c2e2decba13243ec2b428280725072cef92045534f67abc9e26daac8dba6114a96703c7dd9ba990f

Download Submit
memory/1736-14-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/1736-17-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/1736-18-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/4664-0-0x00000000753BE000-0x00000000753BF000-memory.dmp

Filesize
4KB

Download
memory/4664-1-0x0000000000320000-0x0000000000374000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads