Malware Analysis Report

2024-10-19 07:50

Sample ID 240812-grj95ssfpg
Target Vape.Ghost.Client.exe
SHA256 1da503b09db301240e0e884cb784c00ac36bed73ff1589706db852fd21dc1b90
Tags
xenorat discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1da503b09db301240e0e884cb784c00ac36bed73ff1589706db852fd21dc1b90

Threat Level: Known bad

The file Vape.Ghost.Client.exe was found to be: Known bad.

Malicious Activity Summary

xenorat discovery persistence rat trojan

XenorRat

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 06:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 06:02

Reported

2024-08-12 06:03

Platform

win11-20240802-en

Max time kernel

29s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe

"C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE

Network

Country Destination Domain Proto
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE

MD5 244c234696a4a686ba7b6e4652d6200e
SHA1 09806d289fb39ed2997eadceb901ba8e2e5616e5
SHA256 2930b9f36c5719b27475da8bec4990528fc2aa55d768007b06b7d4c1cdad2654
SHA512 c40b6c8e1ec76e0018c0a15d0192e2371445a8250d42de78ccbfb3b3a100f9c21261ad7bad20ec92dada4d67ca05ae6474a9555a414167c96a1e479d93ac07f9

memory/2580-7-0x000000007521E000-0x000000007521F000-memory.dmp

memory/2580-8-0x0000000000960000-0x0000000000976000-memory.dmp

memory/2580-9-0x0000000075210000-0x00000000759C1000-memory.dmp

memory/2580-10-0x000000007521E000-0x000000007521F000-memory.dmp