Overview

overview

10

Static

static

10

RAT.exe

windows11-21h2-x64

10

RAT.exe

macos-10.15-amd64

4

Resubmissions

04-09-2024 09:58

240904-lzvs3azakd 10

04-09-2024 09:53

240904-lw48bsyhqg 10

Analysis

  • max time kernel
    141s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-09-2024 09:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RAT.exe

  • Size

    45KB

  • MD5

    dac50dd8ad6a423bdf5cc713c732a5ad

  • SHA1

    cfaf95d0c4dcc0bce53677ba6e7900bcaf38bd9b

  • SHA256

    dbd2a1eddad30b8a9f2de5f519a2b97f5f3b7bf9306688729b06a01886e75990

  • SHA512

    d7f034fdedad982adbb0ab2112a106965ec6e7bb8f48ac356856d2d8beccfe4f952e0b84dab3c98d8c07b17c9a67ae78e1f5d5f3779c7c83fba9e567a55fe008

  • SSDEEP

    768:KdhO/poiiUcjlJIny3H9Xqk5nWEZ5SbTDaiuI7CPW55:sw+jjgncH9XqcnW85SbTnuIh

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    4444

  • startup_name

    nothingset

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RAT.exe
    "C:\Users\Admin\AppData\Local\Temp\RAT.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18E2.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RAT.exe.log
    Filesize

    226B

    MD5

    1294de804ea5400409324a82fdc7ec59

    SHA1

    9a39506bc6cadf99c1f2129265b610c69d1518f7

    SHA256

    494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

    SHA512

    033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XenoManager\RAT.exe
    Filesize

    45KB

    MD5

    dac50dd8ad6a423bdf5cc713c732a5ad

    SHA1

    cfaf95d0c4dcc0bce53677ba6e7900bcaf38bd9b

    SHA256

    dbd2a1eddad30b8a9f2de5f519a2b97f5f3b7bf9306688729b06a01886e75990

    SHA512

    d7f034fdedad982adbb0ab2112a106965ec6e7bb8f48ac356856d2d8beccfe4f952e0b84dab3c98d8c07b17c9a67ae78e1f5d5f3779c7c83fba9e567a55fe008

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp18E2.tmp
    Filesize

    1KB

    MD5

    82ea8ff2747d81323c4df445fdad9385

    SHA1

    802e47d14c98d9f2f76bfa86ae1c27e4a4cacb07

    SHA256

    fd2682af230aec75b6a025f8130ecbe95173246bbdd61055c427809ccd856150

    SHA512

    a6e57a5126d39d65a7786d90a11ca030c0047cb998a32a96a3342327d8b7d0f1709fae9aed4b7d8bf5437e7d5e217e34eb004c1a2a0b08d192cbb545aea21c95

    Download Submit

  • memory/1240-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1240-1-0x0000000000E10000-0x0000000000E22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3036-15-0x00000000748F0000-0x00000000750A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3036-18-0x00000000748F0000-0x00000000750A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3036-19-0x00000000748F0000-0x00000000750A1000-memory.dmp

    Filesize

    7.7MB

    Download