xenorat | d78ea86672081dae69afc22f94de2ce5e6867653d42d9bb8d215703be3f9f25c | Triage

Sharing

General

Target

Universe.bat
Size

266KB
Sample

240823-plhhcstcre
MD5

b20843491bae175a8a3ea58950133d1a
SHA1

33552409f87c4b04f1a97e21c181e27327e0f847
SHA256

d78ea86672081dae69afc22f94de2ce5e6867653d42d9bb8d215703be3f9f25c
SHA512

998bfa168786a28b6d5dc1d682ee7a75eceee58980a4a643c6c89d52a521bc592aa261c653d24f697c4e092379f63816344ff3667a6acb9d21bbeb2016d8c18b
SSDEEP

6144:J4blXryzoC5iq4a8PLJlAl0bBt1Az2iZg7Z8esqA4zX:ibc8ICa8PNC0blH9dsqh

Score

10^/10

xenorat execution rat trojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Targets

- Target
  
  Universe.bat
- Size
  
  266KB
- MD5
  
  b20843491bae175a8a3ea58950133d1a
- SHA1
  
  33552409f87c4b04f1a97e21c181e27327e0f847
- SHA256
  
  d78ea86672081dae69afc22f94de2ce5e6867653d42d9bb8d215703be3f9f25c
- SHA512
  
  998bfa168786a28b6d5dc1d682ee7a75eceee58980a4a643c6c89d52a521bc592aa261c653d24f697c4e092379f63816344ff3667a6acb9d21bbeb2016d8c18b
- SSDEEP
  
  6144:J4blXryzoC5iq4a8PLJlAl0bBt1Az2iZg7Z8esqA4zX:ibc8ICa8PNC0blH9dsqh
Score

10^/10

execution xenorat rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xenoratexecutionrattrojan