Overview

overview

10

Static

static

3

afhvser.exe

windows7-x64

10

afhvser.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    afhvser.exe

  • Size

    353KB

  • Sample

    240829-g96absxgje

  • MD5

    d51e11f21698000dc7834221d02d93a1

  • SHA1

    d2a4196c36840b5eaabb9f585d504ebd8278840a

  • SHA256

    819895f1a99faf768a9bd2e8c789d90725c2c9c3da9f446c1522907193ffe2c3

  • SHA512

    c895c0c72f3b7bbb6bf88a366049aa833b775abf5fef6018f120975a4fb98e9866891a3f92cfd09267edbdd1fedc3e1e6b084239b15c4b6bf189ff2e81d61846

  • SSDEEP

    6144:wAbK2Zy++MX+DvKbLPEEVna5zHQICkMUTOYoREG8gn3Hd9oZ2dHnI:5yBMuDv0atjzG8gn3Hd9oZ2NI

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

45.66.231.26

Mutex

Uolid_rat_nd8889j

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1356

  • startup_name

    ace

Targets

    • Target

      afhvser.exe

    • Size

      353KB

    • MD5

      d51e11f21698000dc7834221d02d93a1

    • SHA1

      d2a4196c36840b5eaabb9f585d504ebd8278840a

    • SHA256

      819895f1a99faf768a9bd2e8c789d90725c2c9c3da9f446c1522907193ffe2c3

    • SHA512

      c895c0c72f3b7bbb6bf88a366049aa833b775abf5fef6018f120975a4fb98e9866891a3f92cfd09267edbdd1fedc3e1e6b084239b15c4b6bf189ff2e81d61846

    • SSDEEP

      6144:wAbK2Zy++MX+DvKbLPEEVna5zHQICkMUTOYoREG8gn3Hd9oZ2dHnI:5yBMuDv0atjzG8gn3Hd9oZ2NI

    Score
    10/10
    xenoratdiscoveryrattrojan

    • XenorRat

      XenorRat is a remote access trojan written in C#.

      trojanratxenorat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks