xenorat | 0ca5044d7ae4946054b9223c835bd347df3752aab2a3126bb81dd8c4f7df2747 | Triage

Sharing

General

Target

0ca5044d7ae4946054b9223c835bd347df3752aab2a3126bb81dd8c4f7df2747
Size

93KB
Sample

240828-1xsy1sycne
MD5

dd5bb25f95f8461e2c41241d721423a4
SHA1

07060e6b29ac7723ec8fbfba690a648e78d37289
SHA256

0ca5044d7ae4946054b9223c835bd347df3752aab2a3126bb81dd8c4f7df2747
SHA512

19f7797a3bc0e0f8a7d9b5a6b0208dac576c15e492a4b034c9baa50b8f1c69b2dd76dd2761d8b4fa5b4c1e3a957b387dc09fb377510fef7b89e674ef2554c157
SSDEEP

1536:lhh9X2MVkxk0+pJiMFGO2RLWk1gWVlEaTELbcupI5Wj8F5u97zZ5CvOJIpcF3imb:qyaVCiMUlLggltOYupI5Wj979Mm++3Jb

Score

10^/10

xenorat discovery execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/LoneNone1807/batman/main/startup

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tvdseo.com/file/Document-3.zip

Extracted

Family

xenorat

C2

15.235.176.64

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Targets

- Target
  
  侵犯版權證據.pdf.exe
- Size
  
  199KB
- MD5
  
  64909901256d98b929a187fd27cae564
- SHA1
  
  cd36c89f3dede517f95361a4fedf334317ff4a27
- SHA256
  
  e956c97576314addcf1245717623e8da9469ee2a85981ce4969a6079c324983f
- SHA512
  
  529864aa15a6296eaf0e44f504467753f161ffeb54389c26fb16396ddb2581ef4b42c8e1befcace7ddc549cf70f3f3ddb879ab8c6f935a473ad34082d7d24958
- SSDEEP
  
  3072:8sg9C3jzOavaNZV5HEb28U3ZEUV9QRT42+xB00j:8sz3jzOavQZM63ZEe6i0
Score

10^/10

execution xenorat discovery persistence rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xenoratdiscoveryexecutionpersistencerattrojan