xenorat | 91b31fde4f5195f9d8d5ce980f029bdb89a6c9e9120c0258ae058ac7a621d4eb | Triage

Sharing

General

Target

RetardScript_v3.24.523.exe
Size

45KB
Sample

240828-pc72nazbjm
MD5

1f6106784cc64d2c97a8eb2ba81198f4
SHA1

9fb82fb9aab5fcc6f55d991260ab6312f8d1a1b0
SHA256

91b31fde4f5195f9d8d5ce980f029bdb89a6c9e9120c0258ae058ac7a621d4eb
SHA512

4ff2c2b5374f422ee18d8b3c9d45a4f91d0dee8d8f34b1a1c7623ad6410999d2ded4aa3ffce2d6ff299ac4cff1f21f7ff39f1cc5558f435a5a85a7ea7a36e2c0
SSDEEP

768:kdhO/poiiUcjlJInGFH9Xqk5nWEZ5SbTDaeWI7CPW5i:+w+jjgn2H9XqcnW85SbTvWIa

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

C2

147.185.221.19

Mutex

5aafKEYsYk

Attributes

delay
5000
install_path
temp
port
4748
startup_name
JavaW

Targets

- Target
  
  RetardScript_v3.24.523.exe
- Size
  
  45KB
- MD5
  
  1f6106784cc64d2c97a8eb2ba81198f4
- SHA1
  
  9fb82fb9aab5fcc6f55d991260ab6312f8d1a1b0
- SHA256
  
  91b31fde4f5195f9d8d5ce980f029bdb89a6c9e9120c0258ae058ac7a621d4eb
- SHA512
  
  4ff2c2b5374f422ee18d8b3c9d45a4f91d0dee8d8f34b1a1c7623ad6410999d2ded4aa3ffce2d6ff299ac4cff1f21f7ff39f1cc5558f435a5a85a7ea7a36e2c0
- SSDEEP
  
  768:kdhO/poiiUcjlJInGFH9Xqk5nWEZ5SbTDaeWI7CPW5i:+w+jjgn2H9XqcnW85SbTvWIa
Score

10^/10

xenorat discovery rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xenoratdiscoveryrattrojan