xenorat | a9dc5a36a49131fc5c0e0f64eda0f9c00266cf2359aa5689b5dfc7bb74579c69

General

Target

9319a7b02879066d144b9f84f5b9e4c0N.exe
Size

45KB
MD5

9319a7b02879066d144b9f84f5b9e4c0
SHA1

0634823bf3a1eecb8089634963617e7e484ec45f
SHA256

a9dc5a36a49131fc5c0e0f64eda0f9c00266cf2359aa5689b5dfc7bb74579c69
SHA512

0dad848ba0dc0daf1af8830ad7d54e121c71cf133a83195293ef51a6f02bab2e6fbe27e9b215136f8ceff909c7f54a31d4710bc7d60b4b5b543b67fbdef90bb5
SSDEEP

768:xdhO/poiiUcjlJInJtUH9Xqk5nWEZ5SbTDaHKWI7CPW5g:vw+jjgn/UH9XqcnW85SbTDWIo

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

C2

5.226.137.239

Mutex

Xt_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
aruba

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	9319a7b02879066d144b9f84f5b9e4c0N.exe

Executes dropped EXE 1 IoCs

pid	Process
4136	9319a7b02879066d144b9f84f5b9e4c0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9319a7b02879066d144b9f84f5b9e4c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9319a7b02879066d144b9f84f5b9e4c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4916	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4136	2652	9319a7b02879066d144b9f84f5b9e4c0N.exe	85
PID 2652 wrote to memory of 4136	2652	9319a7b02879066d144b9f84f5b9e4c0N.exe	85
PID 2652 wrote to memory of 4136	2652	9319a7b02879066d144b9f84f5b9e4c0N.exe	85
PID 4136 wrote to memory of 4916	4136	9319a7b02879066d144b9f84f5b9e4c0N.exe	92
PID 4136 wrote to memory of 4916	4136	9319a7b02879066d144b9f84f5b9e4c0N.exe	92
PID 4136 wrote to memory of 4916	4136	9319a7b02879066d144b9f84f5b9e4c0N.exe	92

C:\Users\Admin\AppData\Local\Temp\9319a7b02879066d144b9f84f5b9e4c0N.exe
"C:\Users\Admin\AppData\Local\Temp\9319a7b02879066d144b9f84f5b9e4c0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Roaming\XenoManager\9319a7b02879066d144b9f84f5b9e4c0N.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\9319a7b02879066d144b9f84f5b9e4c0N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "aruba" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8899.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9319a7b02879066d144b9f84f5b9e4c0N.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8899.tmp

Filesize
1KB

MD5
4c8ec96e592952261c03dbbd61746a32

SHA1
0def8d9e97ecb1cc9d98bf59c6ffd87b215552fa

SHA256
73537c92c46bd86785c330a1396f641cd8d4dbecba671a452c5bce8c0f559f36

SHA512
0d8803416e8c8dfaa5b81dc85dd0d7dd1069ef6802fabf6098a0a817116c6f375ed470cb04c53cd103bc3588c808c89d1db20ff3b5fe1a2d2c11e1a6aedf0b1b

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\9319a7b02879066d144b9f84f5b9e4c0N.exe

Filesize
45KB

MD5
9319a7b02879066d144b9f84f5b9e4c0

SHA1
0634823bf3a1eecb8089634963617e7e484ec45f

SHA256
a9dc5a36a49131fc5c0e0f64eda0f9c00266cf2359aa5689b5dfc7bb74579c69

SHA512
0dad848ba0dc0daf1af8830ad7d54e121c71cf133a83195293ef51a6f02bab2e6fbe27e9b215136f8ceff909c7f54a31d4710bc7d60b4b5b543b67fbdef90bb5

Download Submit
memory/2652-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/2652-1-0x0000000000F70000-0x0000000000F82000-memory.dmp

Filesize
72KB

Download
memory/4136-15-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/4136-18-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/4136-19-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads