Malware Analysis Report

2024-10-23 20:25

Sample ID 240902-t5l24stfrm
Target EAC spoof.exe
SHA256 ca764d34f8c9277c110260a1bb5cbe8a53578f041580b91b079f1a2e033bb234
Tags
xenorat discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca764d34f8c9277c110260a1bb5cbe8a53578f041580b91b079f1a2e033bb234

Threat Level: Known bad

The file EAC spoof.exe was found to be: Known bad.

Malicious Activity Summary

xenorat discovery rat trojan

Xenorat family

XenorRat

Executes dropped EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-02 16:38

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-02 16:38

Reported

2024-09-02 16:40

Platform

win11-20240802-en

Max time kernel

102s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EAC spoof.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\EAC spoof.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EAC spoof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XenoManager\EAC spoof.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EAC spoof.exe

"C:\Users\Admin\AppData\Local\Temp\EAC spoof.exe"

C:\Users\Admin\AppData\Local\Temp\XenoManager\EAC spoof.exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\EAC spoof.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

Network

Country Destination Domain Proto
N/A 127.0.0.1:4444 tcp
GB 92.123.128.133:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
JP 13.78.111.198:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
GB 92.123.143.137:443 r.bing.com tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp
GB 23.206.78.251:443 cxcs.microsoft.net tcp
GB 92.123.142.10:443 www.bing.com tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp

Files

memory/4496-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

memory/4496-1-0x00000000006F0000-0x0000000000702000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XenoManager\EAC spoof.exe

MD5 ddbd0315f3dae3c472a14ff0ddbfd9ab
SHA1 08428859102625ce79bcfd3376b420c79744631c
SHA256 ca764d34f8c9277c110260a1bb5cbe8a53578f041580b91b079f1a2e033bb234
SHA512 89d20fd2276a3198e2c33d7ec14355bf947401760d44958ad7127b22c6834f70159ef403a9fb73dbae93614a86cff376de992b0ea98887e1713a804d312c6fdd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EAC spoof.exe.log

MD5 1294de804ea5400409324a82fdc7ec59
SHA1 9a39506bc6cadf99c1f2129265b610c69d1518f7
SHA256 494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0
SHA512 033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

memory/1820-15-0x0000000074C30000-0x00000000753E1000-memory.dmp

memory/1820-16-0x0000000074C30000-0x00000000753E1000-memory.dmp

memory/1820-17-0x0000000074C30000-0x00000000753E1000-memory.dmp

memory/1820-18-0x0000000074C30000-0x00000000753E1000-memory.dmp