Resubmissions

09-08-2024 18:10

240809-wsd7vatdpq 10

09-08-2024 18:06

240809-wpp5yaxdpa 10

09-08-2024 13:45

240809-q2hzhavera 10

General

  • Target

    SaturnTempSpoofer.exe

  • Size

    181KB

  • Sample

    240809-q2hzhavera

  • MD5

    0380311e496051295f02a440d4f34308

  • SHA1

    d2b2d91ced3d0526fcb13f310bb5f7be4844b346

  • SHA256

    ab0f362333e655da8332ba89226f9ac0c90e31aa53e633097cf6f88aead1a389

  • SHA512

    b95a20df94c311deb080d45e1bcd7cd3f79e449041acd52bc67423adb50f49ec9e4728838f96aaec0f67d1fb9cb7403be0e445db06928434f49baac565be600e

  • SSDEEP

    3072:UVqoCl/YgjxEufVU0TbTyDDalQlzw+jqZ91UbTK4I:UsLqdufVUNDaRW491Ub8

Malware Config

Extracted

Family

xenorat

C2

73.131.36.77

Attributes
  • install_path

    appdata

  • port

    4782

  • startup_name

    AppWindows.exe

Targets

    • Target

      SaturnTempSpoofer.exe

    • Size

      181KB

    • MD5

      0380311e496051295f02a440d4f34308

    • SHA1

      d2b2d91ced3d0526fcb13f310bb5f7be4844b346

    • SHA256

      ab0f362333e655da8332ba89226f9ac0c90e31aa53e633097cf6f88aead1a389

    • SHA512

      b95a20df94c311deb080d45e1bcd7cd3f79e449041acd52bc67423adb50f49ec9e4728838f96aaec0f67d1fb9cb7403be0e445db06928434f49baac565be600e

    • SSDEEP

      3072:UVqoCl/YgjxEufVU0TbTyDDalQlzw+jqZ91UbTK4I:UsLqdufVUNDaRW491Ub8

    • Modifies visiblity of hidden/system files in Explorer

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks