Malware Analysis Report

2024-10-19 07:50

Sample ID 240813-r4rvvsthmk
Target slinkylauncher.exe
SHA256 ec6fcac47b52001e6b9af66588ebb95c6de3f2e6a4b942e0d04f2c114633fddb
Tags
xenorat discovery pyinstaller rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec6fcac47b52001e6b9af66588ebb95c6de3f2e6a4b942e0d04f2c114633fddb

Threat Level: Known bad

The file slinkylauncher.exe was found to be: Known bad.

Malicious Activity Summary

xenorat discovery pyinstaller rat trojan

XenorRat

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 14:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 14:45

Reported

2024-08-13 14:48

Platform

win7-20240729-en

Max time kernel

16s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe

"C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 14:45

Reported

2024-08-13 14:48

Platform

win10v2004-20240802-en

Max time kernel

140s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe C:\Windows\system32\cmd.exe
PID 2412 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe
PID 2412 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe
PID 2412 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe
PID 5116 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe
PID 5116 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe
PID 5116 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe
PID 1680 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe
PID 1680 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe
PID 1680 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe
PID 432 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe
PID 4700 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe
PID 4700 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe
PID 704 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe C:\Windows\SysWOW64\schtasks.exe
PID 704 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe C:\Windows\SysWOW64\schtasks.exe
PID 704 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe C:\Windows\SysWOW64\schtasks.exe
PID 432 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe

"C:\Users\Admin\AppData\Local\Temp\slinkylauncher.exe"

C:\Windows\system32\cmd.exe

cmd.exe /d /c call C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe

C:\Windows\system32\cmd.exe

cmd.exe /d /c call C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe

C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe

C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe

C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe

C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe

C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe

C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c title NitroGen v1.3 ~ Made by viben#6633 [Menu]

C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\n2hvu9.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "NitroGenerator" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E72.tmp" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c title Nitro Gen v1.3 ~ Made by viben#6633 [Generator]

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
ES 88.15.130.212:4444 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
ES 88.15.130.212:4444 tcp
ES 88.15.130.212:4444 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
ES 88.15.130.212:4444 tcp
ES 88.15.130.212:4444 tcp

Files

C:\Users\Admin\AppData\Local\Temp\n2hvu9.exe

MD5 b52271284fa0220c7ca7603131fefd7d
SHA1 e7358d5dd9540818266b39b0699a566043408ac8
SHA256 4263f602e56768bcec85d9b1b1852a90f9e6b68b47123d7905275f84f7cbe6b2
SHA512 08815d1c908c9e2421ebc9111e60ce6bccbba28be1bd791ebbcdb2ba189caa7c2b373220a2e511f31fcbe8b4bfe02978f060730180ee3481a299783a441aa980

C:\Users\Admin\AppData\Local\Temp\p5q9jo.exe

MD5 d0c36409ceed9b71c38828f8ce0c8d7f
SHA1 d8e7bcaa6efd38fd99b634a6fa0b4dfc567a6fa0
SHA256 f4e646b5ff58c1c1f8de1888f1315f8953c59388060141c6f2ab07a4331b157b
SHA512 4eaebde47ff5b2b7222fdf1c9eb9b62e88424a5a9dfb0c9bdc31d639a6c23c45b6954df6fcccd1c0e6f045d0e91fdc7bf8e89c588ac2d6c12828a4c552764034

memory/4700-30-0x000000007444E000-0x000000007444F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI16802\python38.dll

MD5 97d893cd2879f8e9a6bc8a35d203b2f4
SHA1 68ddf1e3a98e080c4ef2c9d241a31dee6aec240b
SHA256 6e7ed993131a5beb3b96736320bafb83a063d3043015bf2b14eea6601a414ab8
SHA512 30804c88389b54a6119c7c134af315330afb234d743b51acbb25f11d2aec3400c7498e918294f4497e49ebf7ddac557509847d785d58fe9cd381a3fbf8eb9378

C:\Users\Admin\AppData\Local\Temp\_MEI16802\VCRUNTIME140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

C:\Users\Admin\AppData\Local\Temp\_MEI16802\base_library.zip

MD5 f38a879dd5ed3f790c5e9f8ecb50806d
SHA1 1573dcb23d5cc62bc7c84ced408f7a9b8aa5282a
SHA256 a302c9de9089600ed3067d485fb341b7d6854ae807463c439d5ba1d66b9757c6
SHA512 06bba13d775acfb2c8ce186bd309039f5331acb57bd3b0ee8a2413175d3890a8334b214c797c93371e5d1548f00936f94c7467c3b0f7ecabdfbb3dac7b33f8cc

memory/4700-40-0x00000000001E0000-0x0000000000210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI16802\_ctypes.pyd

MD5 e7f1c92338eb9964ea5922de823abcb8
SHA1 ae5719b87f4f6b3cdaacd6e43f5bf101e492adc0
SHA256 497cf76470349d3cb601e1fe66c8e08f7570cfb0d25e15c3d94aae84280dba58
SHA512 0fe48e6c7596c226d031a1c2966270589b939b54a316e44856054a933be052d5084afc4c1a9d8314aa1cf0e15cc777747645741f3efea3016a41248c01d8fc14

C:\Users\Admin\AppData\Local\Temp\_MEI16802\libffi-7.dll

MD5 bc20614744ebf4c2b8acd28d1fe54174
SHA1 665c0acc404e13a69800fae94efd69a41bdda901
SHA256 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA512 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

C:\Users\Admin\AppData\Local\Temp\_MEI16802\_socket.pyd

MD5 6f71a76bb3c8da44c671f23b4b78f901
SHA1 444e2d7d167dbe387317a1f52396c9ccab40ee49
SHA256 9cb6bb684c2d475c60a94d3f789cae6e662901ea408e18ac4bc34cba0baffeed
SHA512 f1346f5f83717218d1d2517c022d69cb246ff01d88cbf72443b6b06545eef2fe1ff77859e2a87915fc55925847777d1721abc7085a0d81226b3356916b8871eb

C:\Users\Admin\AppData\Local\Temp\_MEI16802\select.pyd

MD5 e6969a95ca8b62725206ebef19af0371
SHA1 60bfcad0dd79267793c3b8ff109a98c4201ffc18
SHA256 3f177ee6d35f0dbeb0f0719f4e20404abe6a101c375ab6d27fcd28aa846def2c
SHA512 ae45e272f4b0207dc8720681932641b53379a8b4d1ee7c878ce7804cc475069812d8dcd8689dc6383911b51af272801dbce6b076aaf60f5287c2bacbce8d95e6

C:\Users\Admin\AppData\Local\Temp\_MEI16802\libcrypto-1_1.dll

MD5 67c1ea1b655dbb8989a55e146761c202
SHA1 aecc6573b0e28f59ea8fdd01191621dda6f228ed
SHA256 541adbc9654d967491d11359a0e4ad4972d2bd25f260476dd7576c576478698a
SHA512 1c7612c03df85b596dc360c1a94e367d8bfba51f651b49c598e4a066a693d9aa74195a40cc849ef787eac9b6e1e1fc079b389c03fc539e53abf4aa729bef5893

C:\Users\Admin\AppData\Local\Temp\_MEI16802\libssl-1_1.dll

MD5 9417e0d677e0f8b08398fcd57dccbafd
SHA1 569e82788ff8206e3a43c8653d6421d456ff2a68
SHA256 db16853dbc64f045ae2a972f7605a6f192d09b79cae86fd93b8434fa7d9e031f
SHA512 b7dfd0b265c19d97518e638e4fcc19db3031382cda05c2cbb8965651ceadaa0f68f9d4dd62d542b2c9ef33d9703d50f4d74eb8b9f4918130895ef17feff2f6cb

C:\Users\Admin\AppData\Local\Temp\_MEI16802\_ssl.pyd

MD5 38a431e39fe4502ebbc7a17bcb519240
SHA1 5f9990e47b03a35707639047839ad215af7cb82c
SHA256 91225559138228aaadf83d77c92835b080bbcbcc17c190c6ef7bb9d23cc17595
SHA512 cc8c635471b2ae18d1c3962812b30b1ca6d4187595bc941ca84c18028f46c3f75c9a6d66afceb75b1f454884c5a012f97d8d995a55d60b493d381bb827413c94

C:\Users\Admin\AppData\Local\Temp\_MEI16802\_brotli.cp38-win32.pyd

MD5 458267b5b318d7baf74d286ade22718b
SHA1 52ecce4f0e84ad5b85f53c570fb095adb9093747
SHA256 f1feb3e509c3927788cb0bf16a217c8c0b7ade68f0e6170c4aa1bc0d614041a6
SHA512 1aa7379c950a4218332221d7d46a89053dab3434511bf0c6f72e6b1eeaa8b667a0c356ea3b27725651777c43dc8c44003e6caaaef3121e4ab47b9870814bdee9

C:\Users\Admin\AppData\Local\Temp\_MEI16802\MSVCP140.dll

MD5 8ff1898897f3f4391803c7253366a87b
SHA1 9bdbeed8f75a892b6b630ef9e634667f4c620fa0
SHA256 51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad
SHA512 cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

C:\Users\Admin\AppData\Local\Temp\_MEI16802\_hashlib.pyd

MD5 13e5639aa1732db7f8fd9c2820cced10
SHA1 5f9799b1a16bbdb337766b42b9828f8da1f55e75
SHA256 b54e3474472fd318e0d94b9115238dca43c457e6253f06f92d2604df14d8247d
SHA512 f4abc90e5f6ea1b204265e91f22978ca8eb04c8ce9bef5d558becadb1b6116c769d7e3401b9396438c85f5decf88b79fd8114f6054541228c753494660a949d1

C:\Users\Admin\AppData\Local\Temp\_MEI16802\_queue.pyd

MD5 b9dc46c4d8f7640c75baba109d9569bb
SHA1 3188e695eef3e0bbcf50b13a507dc87b2284c998
SHA256 151315638f893e81d9e724615cb2e97f31d7a1aaff3c5d598094206332c78e2b
SHA512 4cb320b9639393afff2c8b955b3ab059bfd6590b3b3e02ddf9dee55a15e345ebea1387c367e7ab49c75be861cd7a4bdbe6c29c11bf0ea1c8350327bad31b221c

C:\Users\Admin\AppData\Local\Temp\_MEI16802\_bz2.pyd

MD5 7f8dc5e22155dfaeeee837bee907f960
SHA1 9d03bd1120fd67cb4a2a6e42707c3ecc95d56a31
SHA256 f2eaab5894a666556a6ec0f7b430deb30cdcdb534e822cda8c789435d3834535
SHA512 ac4ae9f88dbebdd6619be62252275260f476bec5765644de279dadf9f10437ebec526d833fbaae70686de1ef65fc574659191c2c8050df96b7ff7ff3fb51f80c

C:\Users\Admin\AppData\Local\Temp\_MEI16802\_lzma.pyd

MD5 b1abe0da66ec97e4aff97f1bd5203434
SHA1 c3bd39814c4f01b57a442da50ed515e7dfd05a8a
SHA256 ee4f276ec7f0b34acd38361023173d6113d97a7de17d28a4fbbd286fe5ce2f28
SHA512 47556e4c65aa04853520c92fdb1f88bb03ab7f4478bfc60e15186f6109cf659e68d458a7b1090a063a0f771c6eb835582464a646456d9e7f82534854c74f83b0

C:\Users\Admin\AppData\Local\Temp\_MEI16802\unicodedata.pyd

MD5 d40589a59a706d6ff0d95a1b9a5acc0f
SHA1 7a23501a1c5d2d2d300c1496f3a6e455f47769d3
SHA256 b4829151d38443389cb6af2371df4f44e3e9e217b8c7051519d365d5d107e557
SHA512 48158c1dd1b880e33ac409581f79d69197ddfc7b8ae8ee4ea758e9d14563ad6eadaa844db2eb28bf70994a6f196319bb5614fb13fe9d9ec4f33f78c6d24146c0

C:\Users\Admin\AppData\Local\Temp\tmp9E72.tmp

MD5 d388caef6e11c5db80776b76bf58fe49
SHA1 ce4827b9aa57a9681ddaee7c07529c9023724acd
SHA256 d9a8d51b24aa5cbd3c6e19f937aeac3381020af5776a1f3d1a6b6392d0a11312
SHA512 434eb6310d29bd1695a6c67d1b4d8579f819389adb073acdf8a6055591540cf409b5985813f541ce9074b071c1de68ad4e87a34f0799268a1c852cb38b44ba79