Malware Analysis Report

2024-10-19 07:51

Sample ID 240813-224rra1arc
Target gdfgdfgfdg.exe
SHA256 009c7b94b0d9541477c43105707754fa3ad4962dc561533a4a0b86689f2518db
Tags
xenorat discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

009c7b94b0d9541477c43105707754fa3ad4962dc561533a4a0b86689f2518db

Threat Level: Known bad

The file gdfgdfgfdg.exe was found to be: Known bad.

Malicious Activity Summary

xenorat discovery rat trojan

Xenorat family

XenorRat

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 23:05

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 23:05

Reported

2024-08-13 23:08

Platform

win10-20240611-en

Max time kernel

129s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe

"C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe

"C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe"

Network

Country Destination Domain Proto
SE 2.21.189.164:80 tcp
BE 2.17.107.203:80 tcp
US 8.8.8.8:53 related-directed.gl.at.ply.gg udp
US 147.185.221.20:3403 related-directed.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/2840-0-0x00007FFF328A0000-0x00007FFF32A7B000-memory.dmp

memory/2840-1-0x0000000000550000-0x0000000000562000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe

MD5 b1ff6fc37c6f30705b60421bad837ba1
SHA1 86c14aa784f97ac9018bd33d2b2cda2606dc0679
SHA256 009c7b94b0d9541477c43105707754fa3ad4962dc561533a4a0b86689f2518db
SHA512 5bb2f33b6d7663a88290e0bffc81470614455da4ebf5ea8aae4e8b38b41d702dce1ca47616808f2cfd48c6061b935ec1379281bb43e56f4e1c153e1abb67ba09

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gdfgdfgfdg.exe.log

MD5 957779c42144282d8cd83192b8fbc7cf
SHA1 de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA256 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512 f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

memory/1228-9-0x00007FFF328A0000-0x00007FFF32A7B000-memory.dmp