xenorat | 20f245865bcfc518bf44fa8b1bbfa3c91724ed003d65c5002f9823deddad6d6c

Resubmissions

30-08-2024 09:44

240830-lqsx4syfnr 10

12-08-2024 19:19

240812-x1vp8swalk 10

Analysis

max time kernel
33s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aimware_external.exe
Size

1.1MB
MD5

f3726ec3f03283f95e814d084a2769be
SHA1

44afeb86f4d8bfdd8cf49843fc79dc5c5f3d5cb8
SHA256

20f245865bcfc518bf44fa8b1bbfa3c91724ed003d65c5002f9823deddad6d6c
SHA512

93cb5e28494193f0bec93877bfbefda33b71a61fb3d113e20e3f3bf905bc7b530e057218d6ba52c03e13054471c9e8de00e24ecea4747550e209993562d9b29c
SSDEEP

24576:Rc7LqjkLHKx9JYjdK/UmJcgzILePcmVsT+2aicZRDTM1/DEf:RcCkHKxQm9fcmV4+jNZRDsLg

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

147.185.221.21

Mutex

nd8912d

Attributes

delay
3000
install_path
appdata
port
6663
startup_name
svchost.exe

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	aimware_external.exe

Executes dropped EXE 1 IoCs

pid	Process
3212	aimware_external.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3676	aimware_external.exe
3212	aimware_external.exe
3212	aimware_external.exe
3212	aimware_external.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aimware_external.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aimware_external.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4812	schtasks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3676	aimware_external.exe
3212	aimware_external.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3212	3676	aimware_external.exe	93
PID 3676 wrote to memory of 3212	3676	aimware_external.exe	93
PID 3676 wrote to memory of 3212	3676	aimware_external.exe	93
PID 3212 wrote to memory of 4812	3212	aimware_external.exe	96
PID 3212 wrote to memory of 4812	3212	aimware_external.exe	96
PID 3212 wrote to memory of 4812	3212	aimware_external.exe	96

C:\Users\Admin\AppData\Local\Temp\aimware_external.exe
"C:\Users\Admin\AppData\Local\Temp\aimware_external.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Roaming\XenoManager\aimware_external.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\aimware_external.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD5DE.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aimware_external.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5DE.tmp

Filesize
1KB

MD5
ade2f76cf60ab21525613c520968ba41

SHA1
78ed066a74d588210e54961257b0230042e7b677

SHA256
2c9717fc12ed82542da3863e0e43dbe7b71862c7cca9419312539b0c7720b59b

SHA512
78f83f3eee33a448f0712fb192cf0b185ad6cb52d9c1d292078bb4f29f2e4d52a8e7568bb41c4b7d34b53bf10589c4c4b2c3ed37defbb44e53e906fd9a797ee2

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\aimware_external.exe

Filesize
1.1MB

MD5
f3726ec3f03283f95e814d084a2769be

SHA1
44afeb86f4d8bfdd8cf49843fc79dc5c5f3d5cb8

SHA256
20f245865bcfc518bf44fa8b1bbfa3c91724ed003d65c5002f9823deddad6d6c

SHA512
93cb5e28494193f0bec93877bfbefda33b71a61fb3d113e20e3f3bf905bc7b530e057218d6ba52c03e13054471c9e8de00e24ecea4747550e209993562d9b29c

Download Submit
memory/3212-21-0x000000007396E000-0x000000007396F000-memory.dmp

Filesize
4KB

Download
memory/3212-23-0x00000000000A0000-0x0000000000452000-memory.dmp

Filesize
3.7MB

Download
memory/3212-29-0x00000000000A0000-0x0000000000452000-memory.dmp

Filesize
3.7MB

Download
memory/3212-18-0x00000000000A0000-0x0000000000452000-memory.dmp

Filesize
3.7MB

Download
memory/3212-19-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3212-30-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3212-28-0x00000000000A0000-0x0000000000452000-memory.dmp

Filesize
3.7MB

Download
memory/3212-22-0x00000000000A0000-0x0000000000452000-memory.dmp

Filesize
3.7MB

Download
memory/3212-25-0x00000000000A0000-0x0000000000452000-memory.dmp

Filesize
3.7MB

Download
memory/3212-24-0x0000000073960000-0x0000000074110000-memory.dmp

Filesize
7.7MB

Download
memory/3676-3-0x00000000002A0000-0x0000000000652000-memory.dmp

Filesize
3.7MB

Download
memory/3676-1-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/3676-0-0x00000000002A0000-0x0000000000652000-memory.dmp

Filesize
3.7MB

Download
memory/3676-2-0x000000007396E000-0x000000007396F000-memory.dmp

Filesize
4KB

Download
memory/3676-17-0x00000000002A0000-0x0000000000652000-memory.dmp

Filesize
3.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads