xenorat | a9dc5a36a49131fc5c0e0f64eda0f9c00266cf2359aa5689b5dfc7bb74579c69

General

Target

9319a7b02879066d144b9f84f5b9e4c0N.exe
Size

45KB
MD5

9319a7b02879066d144b9f84f5b9e4c0
SHA1

0634823bf3a1eecb8089634963617e7e484ec45f
SHA256

a9dc5a36a49131fc5c0e0f64eda0f9c00266cf2359aa5689b5dfc7bb74579c69
SHA512

0dad848ba0dc0daf1af8830ad7d54e121c71cf133a83195293ef51a6f02bab2e6fbe27e9b215136f8ceff909c7f54a31d4710bc7d60b4b5b543b67fbdef90bb5
SSDEEP

768:xdhO/poiiUcjlJInJtUH9Xqk5nWEZ5SbTDaHKWI7CPW5g:vw+jjgn/UH9XqcnW85SbTDWIo

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

C2

5.226.137.239

Mutex

Xt_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
aruba

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 1 IoCs

pid	Process
2592	9319a7b02879066d144b9f84f5b9e4c0N.exe

Loads dropped DLL 1 IoCs

pid	Process
2772	9319a7b02879066d144b9f84f5b9e4c0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9319a7b02879066d144b9f84f5b9e4c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9319a7b02879066d144b9f84f5b9e4c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2824	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2592	2772	9319a7b02879066d144b9f84f5b9e4c0N.exe	30
PID 2772 wrote to memory of 2592	2772	9319a7b02879066d144b9f84f5b9e4c0N.exe	30
PID 2772 wrote to memory of 2592	2772	9319a7b02879066d144b9f84f5b9e4c0N.exe	30
PID 2772 wrote to memory of 2592	2772	9319a7b02879066d144b9f84f5b9e4c0N.exe	30
PID 2592 wrote to memory of 2824	2592	9319a7b02879066d144b9f84f5b9e4c0N.exe	31
PID 2592 wrote to memory of 2824	2592	9319a7b02879066d144b9f84f5b9e4c0N.exe	31
PID 2592 wrote to memory of 2824	2592	9319a7b02879066d144b9f84f5b9e4c0N.exe	31
PID 2592 wrote to memory of 2824	2592	9319a7b02879066d144b9f84f5b9e4c0N.exe	31

C:\Users\Admin\AppData\Local\Temp\9319a7b02879066d144b9f84f5b9e4c0N.exe
"C:\Users\Admin\AppData\Local\Temp\9319a7b02879066d144b9f84f5b9e4c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Roaming\XenoManager\9319a7b02879066d144b9f84f5b9e4c0N.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\9319a7b02879066d144b9f84f5b9e4c0N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "aruba" /XML "C:\Users\Admin\AppData\Local\Temp\tmp697D.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp697D.tmp

Filesize
1KB

MD5
4c8ec96e592952261c03dbbd61746a32

SHA1
0def8d9e97ecb1cc9d98bf59c6ffd87b215552fa

SHA256
73537c92c46bd86785c330a1396f641cd8d4dbecba671a452c5bce8c0f559f36

SHA512
0d8803416e8c8dfaa5b81dc85dd0d7dd1069ef6802fabf6098a0a817116c6f375ed470cb04c53cd103bc3588c808c89d1db20ff3b5fe1a2d2c11e1a6aedf0b1b

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\9319a7b02879066d144b9f84f5b9e4c0N.exe

Filesize
45KB

MD5
9319a7b02879066d144b9f84f5b9e4c0

SHA1
0634823bf3a1eecb8089634963617e7e484ec45f

SHA256
a9dc5a36a49131fc5c0e0f64eda0f9c00266cf2359aa5689b5dfc7bb74579c69

SHA512
0dad848ba0dc0daf1af8830ad7d54e121c71cf133a83195293ef51a6f02bab2e6fbe27e9b215136f8ceff909c7f54a31d4710bc7d60b4b5b543b67fbdef90bb5

Download Submit
memory/2592-9-0x0000000073A5E000-0x0000000073A5F000-memory.dmp

Filesize
4KB

Download
memory/2592-10-0x0000000000E80000-0x0000000000E92000-memory.dmp

Filesize
72KB

Download
memory/2592-13-0x0000000073A50000-0x000000007413E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-14-0x0000000073A50000-0x000000007413E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-0-0x000000007414E000-0x000000007414F000-memory.dmp

Filesize
4KB

Download
memory/2772-1-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads